Correct netflow configuration needed

steelysan · ‎07-05-2009

hello all,

i'm new in here.need some information on Netflow configuration on a cisco 28xx router with 12.4 SP IOS.

This router is the access in to a customer data center and im trying to help them by providing application wise BW utilisation on a 10 Mbps pipe terminating on this router from the ISP. This is Metro Ethernet link from the ISP.

The current netflow configuration on the router is as follows:

----------------------------------------

router (config)# ip flow-export source fastethernet 0/0

router(config)# ip flow-export version 5

router(config)# ip flow-export destination 77.77.77.6 2055

router(config) int fastethernet 0/0

router(config-if)#ip flow ingress

router(config-if)#ip flow egress

router(config-if)#ip route-cache flow

----------------------------------------

fa0/0 is the single point of entry into customer network and it makes sense to deploy the Netflow export on that interface to see all ingress and egress traffic.

My Observation over the past few days were that the SNMP BW util report provided by the ISP as well as the 5 min out put rate on the fa0/0 interface on the router does not match the netflow BW shown by the Anaylser. The avg utilisation of the 10 Mbps link is around 50% (i.e 5 Mbps) but the Netflow report shows a different picture.

So i wanted to know from the experts,

1) is my netflow config on the router correct?

2) i suspect its not exporting everythin seen on the interface. All Layer 2, 3 traffic perhaps? May be im only seeing some filtered traffic?

3) Recommendations for netflow configuration that can export all possible traffic on that interface so that the netflow BW util report matches what is seen by SNMP.

Any help really appreciated so as to solve the customer issue of visibility into what is eating up the BW of his 10 Mbps link.

Many thanks!

Lucien Avramov · ‎07-05-2009

Your netflow config seems right.

Do you have any vpn / ipsec communication via this router ? That will not be seen by netflow. How much is the discrepancy between snmp and netflow ?

There are no l2 commands for netflow on a 2800 router as this is a router and not a switch.

steelysan · ‎07-05-2009

Thanks!

Quite large actually.Attached are two screenshots to illustrate what i mean. I was asking of L2 traffic because this is an ethernet link we are monitoring.

Thanks

Lucien Avramov · ‎07-06-2009

I suspect your link to the ISP to use PPP encapsulation. In that case most of the traffic going out will be L2 and you will not be able to monitor it via netflow.

steelysan · ‎07-06-2009

Hello Thanks. I need to check on the PPP encapsulation. Whats the alternative if i need to capture all traffic (assuming im indeed missing some of the encapsulated traffic). There is a switch (Catalyst) further downstream to the router (in the data center). I guess i need to tap the flow there?

Do let me know and many thanks again lavramov!

Lucien Avramov · ‎07-06-2009

You can monitor the netflow ingress on the PPP link but the values will not reflect the counters you see on snmp.

If what you are trying to achieve is get close between interface counters and netflow, you can try this on the next hop device. But keep in mind, not only L3 traffic goes via routers/switches, so you will never get an exact match between a L2 counter (interface counters) and Netflow, L3 counters.

The accurate information for BW is snmp.

Netflow is usually used to understand the proportions of L3 protocols : for example 20% is FTP traffic, 50 % is HTTP and so forth.

Good luck.

steelysan · ‎07-06-2009

Hi,

Thanks, Im not trying to get the SNMP functionality via NetFlow. I want to make sure that the discrepancies in the two reports are not highly skewed thats all. I understand that NetFlow gives a ratio of the traffic composition and thats exactly what im trying to achieve.

Lucien Avramov · ‎07-06-2009

Yes so in that case, avoid monitoring the PPP interface, you will have better results