05-06-2009 10:48 PM - edited 03-04-2019 04:40 AM
Hi,
I configured netflow a router 1841, which have two Ethernet interfaces in work. on the interface FE0/1, I enabled netflow, on FE0, i didnt. but when I use my application to look the traffic, it shows the traffic on FE0/0. why?
thanks,
Han
interface FastEthernet0/0
description Connected to
ip address 10.X.X.5 255.255.255.0 secondary
ip address 10.X.X.5 255.255.255.0
speed 100
full-duplex
end
interface FastEthernet0/1
description Connected to sib-b32-sw2 Fa0/8
ip address 10.x.x.202 255.255.255.252
ip route-cache flow
ip tcp adjust-mss 1400
speed 100
full-duplex
crypto map abc-map
end
Solved! Go to Solution.
05-07-2009 05:05 AM
Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".
Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).
05-07-2009 11:43 AM
Hello Han,
so you are using an external tool that collects netflow data exported by the router.
Be aware that among the exported data there are the following:
NetFlow Flows: Key Fields
A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:
â¢Source IP address
â¢Destination IP address
â¢Source port number
>>>â¢Destination port number
â¢Layer 3 protocol type
â¢Type of service (ToS)
â¢Input logical interface
These seven key fields define a unique flow.
see
So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.
the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.
Notice that Joseph had explained this.
Hope to help
Giuseppe
05-07-2009 04:06 AM
From your partial config, it looks more like you've enabled flow caching on one interface rather than netflow (statistics).
What is your "application" looking at? The flow cache or netflow stats?
05-07-2009 04:40 AM
traffic volume and traffic percentage in protocol level. flow cache is the command to enable netflow on physical level, right?
thanks,
Han
05-07-2009 04:44 AM
Hello Han,
you should see traffic statistics about traffic inbound fas0/1 locally on the router itself.
verify if the field where you see f0/0 is the outgoing interface.
Hope to help
Giuseppe
05-07-2009 11:36 AM
Giuseppe
f0/0 is to outside switch, f0/1 is to a small switch that connects to a couple of server PCs.
I do see both on our Mazu, the traffic application, that uses Netflow. Strange, huh?
thanks,
Han
05-07-2009 11:43 AM
Hello Han,
so you are using an external tool that collects netflow data exported by the router.
Be aware that among the exported data there are the following:
NetFlow Flows: Key Fields
A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:
â¢Source IP address
â¢Destination IP address
â¢Source port number
>>>â¢Destination port number
â¢Layer 3 protocol type
â¢Type of service (ToS)
â¢Input logical interface
These seven key fields define a unique flow.
see
So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.
the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.
Notice that Joseph had explained this.
Hope to help
Giuseppe
05-07-2009 05:05 AM
Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".
Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).
05-07-2009 11:38 AM
Thanks,
"believe stats will note other interface used by flow (SrcIf and DstIf), "
How so? please explain a little.
Han
05-07-2009 11:51 AM
A flow enters an interface and leaves an interface, the source interface (arrival/ingress) and the destination interface (departure/egress). Even though you've only activated netflow on one interface, it provides information on two interfaces. This is likely why you're seeing netflow stats for the interface you haven't activated netflow on.
05-07-2009 12:08 PM
Joe:
As a matter of fact, I can the vlan interface on the application as well.
By the way, how does Netflow manage the info on a router?
Thanks,
Han
05-08-2009 03:01 AM
"By the way, how does Netflow manage the info on a router? "
Unsure what you're exactly asking. Netflow maintains a cache. However the first packet of a flow was treated, subsequent flow packets are provided the same final end result, w/o all the reoccuring processing. For instance, I believe if an ACL is involved, the ACL is applied to the packet's first packet and just the result is applied to subsequent packets.
Besides saving processing resources for a packet, netflow accumulates stats on the flow. These can be summarized and/or exported in different ways.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: