cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
741
Views
0
Helpful
4
Replies

Netflow on 2 interfaces

usuario0001
Level 1
Level 1

Hi,

I'm trying to configure Netflow on 2 router interfaces. I configure the first one, but when I add the commands to configure the second one the command for the first one dissapears. This is the configuration:

!

Interface Fastethernet0/0

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 14 out

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

spped auto

!

Interface Vlan1

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

load-interval 30

!

ip flow-export destination 192.168.4.101 9996

ip flow-export source FastEthernet 0/0

ip flow-export version 5

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

snmp-server ifindex persist

With this configuration I can see Interface Fa0/0 but when I add:

ip flow-export source Vlan1

dessapears:

ip flow-export source FastEthernet 0/0

Is it possible to see both interfaces 'Active' on Netflow Analyzer at a time?

Thanks in advance

4 Replies 4

Edison Ortiz
Hall of Fame
Hall of Fame

They are active as soon as you have 'ip route-cache flow' under the interface.

The command you are questioning, it's just changing the source interface that is going to be used to send this information to the collector.

If you don't enter any 'ip flow-export source' it will use the interface that is closest to the NetFlow collector. By entering the command, you are forcing the source to be X interface which is useful if you have FWs in the transit path and just want to allow that IP address in the rules.

HTH,

__

Edison.

But if so you can only send traffic from one interface to the collector at a time, is that correct?

No, that's not correct.

Per your configuration, both interfaces are collecting NetFlow traffic and storing that information to a local NetFlow database.

After a certain amount of traffic is collected locally, this information is sent to the NetFlow collector and when sending this information to the NetFlow collector an interface will be used. The interface is specified with the command in question. The command is optional and NetFlow will work without it unless you have FWs in the transit path that expect traffic from X sources.

In short, you can send 'NetFlow Information' from a specified interface but all interfaces with 'ip route-cache flow' will be reporting to this collector.

Marian

While the answer from Edison is essentially correct I can see that it could be slightly confusing to those who do not already understand what IOS is doing. I would suggest that a slight change in his response would be less confusing. Edison says:"it's just changing the source interface that is going to be used to send this information to the collector." Actually what is specified is not what interface to use but is specifying what source address is to be used in the NetFlow packet. It is quite possible for Cisco to use the address of FastE0/0 and to send the packet out the interface FastE0/1.

So the command that you question is not specifying what interface to use and is specifying what source address to use.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: