cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
1
Replies

netflow record with invalid IP address

jackson.ku
Level 3
Level 3

Hi,

We have Cisco7609 router with Sup720-3B, IOS version is 12.2SX(17). We used Netsocout probe to recive and analyze netflow statistics, but the router seems not send correct netflow packets to the probe. We captured netflow packets send from Cisco7609 and found the flow records are not valid. There is either empty source ip or destination ip. And some other fields like source port, destination port are invalid. The following are netflow related configuration on Cisco7609. Can you please help to solve this problem?

Best Regards,

mls ip multicast flow-stat-timer 9

mls aging fast time 8 threshold 128

mls aging long 1024

mls aging normal 2048

no mls flow ip

no mls flow ipv6

mls nde sender version 5

mls qos

mls cef error action freeze

ip flow-export source GigabitEthernet3/1

ip flow-export version 5 origin-as

ip flow-export destination x.x.x.x 9806

interface GigabitEthernet3/1

ip address x.x.x.x 255.255.255.252

no ip redirects

no ip proxy-arp

ip route-cache flow

load-interval 30

speed nonegotiate

service-policy input download-all_emax-2

hold-queue 1024 in

hold-queue 1024 out

interface GigabitEthernet3/2

no ip address

load-interval 30

switchport

switchport access vlan 96

switchport mode access

channel-group 1 mode on

interface GigabitEthernet3/4

ip address x.x.x.x 255.255.255.252

ip route-cache flow

load-interval 30

no cdp enable

service-policy input download-all_emax-2

interface GigabitEthernet3/7

ip address x.x.x.x 255.255.255.252

no ip redirects

ip route-cache flow

load-interval 30

speed nonegotiate

no cdp enable

service-policy input download-all_emax-2

interface Vlan96

ip address x.x.x.x 255.255.255.0

ip route-cache flow

1 Reply 1

drolemc
Level 6
Level 6

These are the reasons for IP Flow does not show the source and destination IP address.

1. The packets are blocked by an ACL.

2. The packets are being process switched.

3. Multicast traffic

4. Packets destined for the router

5. Tunnels (IPIP, GRE, IPSEC, L2TP) & WCCP

6. Static route to null0

7. DstIf is NULL when the traffic is dropped because of CAR.

In order to avoid this issue, use the ip flow ingress infer-fields command in order to enable Netflow with inferred input/output interfaces and source/destination informations.

For further information click this link.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml#dst

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: