Netflow question

Answered Question

Hi,

I configured netflow a router 1841, which have two Ethernet interfaces in work. on the interface FE0/1, I enabled netflow, on FE0, i didnt. but when I use my application to look the traffic, it shows the traffic on FE0/0. why?

thanks,

Han

interface FastEthernet0/0

description Connected to

ip address 10.X.X.5 255.255.255.0 secondary

ip address 10.X.X.5 255.255.255.0

speed 100

full-duplex

end

interface FastEthernet0/1

description Connected to sib-b32-sw2 Fa0/8

ip address 10.x.x.202 255.255.255.252

ip route-cache flow

ip tcp adjust-mss 1400

speed 100

full-duplex

crypto map abc-map

end

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 7 months ago

Hello Han,

so you are using an external tool that collects netflow data exported by the router.

Be aware that among the exported data there are the following:

NetFlow Flows: Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address

•Destination IP address

•Source port number

>>>•Destination port number

•Layer 3 protocol type

•Type of service (ToS)

•Input logical interface

These seven key fields define a unique flow.

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1056621

So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.

the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.

Notice that Joseph had explained this.

Hope to help

Giuseppe

Correct Answer by Joseph W. Doherty about 7 years 7 months ago

Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".

Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joseph W. Doherty Thu, 05/07/2009 - 04:06

From your partial config, it looks more like you've enabled flow caching on one interface rather than netflow (statistics).

What is your "application" looking at? The flow cache or netflow stats?

Giuseppe Larosa Thu, 05/07/2009 - 04:44

Hello Han,

you should see traffic statistics about traffic inbound fas0/1 locally on the router itself.

verify if the field where you see f0/0 is the outgoing interface.

Hope to help

Giuseppe

Correct Answer
Giuseppe Larosa Thu, 05/07/2009 - 11:43

Hello Han,

so you are using an external tool that collects netflow data exported by the router.

Be aware that among the exported data there are the following:

NetFlow Flows: Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address

•Destination IP address

•Source port number

>>>•Destination port number

•Layer 3 protocol type

•Type of service (ToS)

•Input logical interface

These seven key fields define a unique flow.

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1056621

So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.

the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.

Notice that Joseph had explained this.

Hope to help

Giuseppe

Correct Answer
Joseph W. Doherty Thu, 05/07/2009 - 05:05

Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".

Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).

Joseph W. Doherty Thu, 05/07/2009 - 11:51

A flow enters an interface and leaves an interface, the source interface (arrival/ingress) and the destination interface (departure/egress). Even though you've only activated netflow on one interface, it provides information on two interfaces. This is likely why you're seeing netflow stats for the interface you haven't activated netflow on.

Joseph W. Doherty Fri, 05/08/2009 - 03:01

"By the way, how does Netflow manage the info on a router? "

Unsure what you're exactly asking. Netflow maintains a cache. However the first packet of a flow was treated, subsequent flow packets are provided the same final end result, w/o all the reoccuring processing. For instance, I believe if an ACL is involved, the ACL is applied to the packet's first packet and just the result is applied to subsequent packets.

Besides saving processing resources for a packet, netflow accumulates stats on the flow. These can be summarized and/or exported in different ways.

Actions

This Discussion