cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
855
Views
0
Helpful
10
Replies

Netflow question

wuh
Level 1
Level 1

Hi,

I configured netflow a router 1841, which have two Ethernet interfaces in work. on the interface FE0/1, I enabled netflow, on FE0, i didnt. but when I use my application to look the traffic, it shows the traffic on FE0/0. why?

thanks,

Han

interface FastEthernet0/0

description Connected to

ip address 10.X.X.5 255.255.255.0 secondary

ip address 10.X.X.5 255.255.255.0

speed 100

full-duplex

end

interface FastEthernet0/1

description Connected to sib-b32-sw2 Fa0/8

ip address 10.x.x.202 255.255.255.252

ip route-cache flow

ip tcp adjust-mss 1400

speed 100

full-duplex

crypto map abc-map

end

2 Accepted Solutions

Accepted Solutions

Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".

Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).

View solution in original post

Hello Han,

so you are using an external tool that collects netflow data exported by the router.

Be aware that among the exported data there are the following:

NetFlow Flows: Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address

•Destination IP address

•Source port number

>>>•Destination port number

•Layer 3 protocol type

•Type of service (ToS)

•Input logical interface

These seven key fields define a unique flow.

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1056621

So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.

the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.

Notice that Joseph had explained this.

Hope to help

Giuseppe

View solution in original post

10 Replies 10

Joseph W. Doherty
Hall of Fame
Hall of Fame

From your partial config, it looks more like you've enabled flow caching on one interface rather than netflow (statistics).

What is your "application" looking at? The flow cache or netflow stats?

traffic volume and traffic percentage in protocol level. flow cache is the command to enable netflow on physical level, right?

thanks,

Han

Hello Han,

you should see traffic statistics about traffic inbound fas0/1 locally on the router itself.

verify if the field where you see f0/0 is the outgoing interface.

Hope to help

Giuseppe

Giuseppe

f0/0 is to outside switch, f0/1 is to a small switch that connects to a couple of server PCs.

I do see both on our Mazu, the traffic application, that uses Netflow. Strange, huh?

thanks,

Han

Hello Han,

so you are using an external tool that collects netflow data exported by the router.

Be aware that among the exported data there are the following:

NetFlow Flows: Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address

•Destination IP address

•Source port number

>>>•Destination port number

•Layer 3 protocol type

•Type of service (ToS)

•Input logical interface

These seven key fields define a unique flow.

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1056621

So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.

the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.

Notice that Joseph had explained this.

Hope to help

Giuseppe

Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".

Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).

Thanks,

"believe stats will note other interface used by flow (SrcIf and DstIf), "

How so? please explain a little.

Han

A flow enters an interface and leaves an interface, the source interface (arrival/ingress) and the destination interface (departure/egress). Even though you've only activated netflow on one interface, it provides information on two interfaces. This is likely why you're seeing netflow stats for the interface you haven't activated netflow on.

Joe:

As a matter of fact, I can the vlan interface on the application as well.

By the way, how does Netflow manage the info on a router?

Thanks,

Han

"By the way, how does Netflow manage the info on a router? "

Unsure what you're exactly asking. Netflow maintains a cache. However the first packet of a flow was treated, subsequent flow packets are provided the same final end result, w/o all the reoccuring processing. For instance, I believe if an ACL is involved, the ACL is applied to the packet's first packet and just the result is applied to subsequent packets.

Besides saving processing resources for a packet, netflow accumulates stats on the flow. These can be summarized and/or exported in different ways.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco