netflow command and interface

Unanswered Question
Dec 14th, 2009

Hi,

I have a few simple questions regarding netflow. Would anyone please clarify them for me?

1. I usually configured netflow with "ip route-cache flow" command. Anyway, I have seen articles mentioning "ip flow ingress" and "ip flow egress" commands. What is different exactly i.e. ip route-cache flow and ip flow ingress|egress? Which one should be used?

2. I understand netflow needs to be configured on every interface to export completely netflow data. Is it correct?

3. If there are 2 physical and 2 logical i.e. tunnel interfaces, how many/which interfaces should netflow be configured? Are only physical interfaces enough?

Please let me know if I misunderstand anything.

Thank you very much,

Nitass

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yjdabear Mon, 12/14/2009 - 12:42

AFAIK:

1. "ip route-cache flow" is deprecated starting in 12.2(18)SXD. See this URL for other IOS trains: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_01.html#wp1049320

2. It's generally correct, due to the unidirectional nature of NetFlow records. Otherwise, you run the risks such as only seeing one direction of a given "conversation".

3. My understanding was NetFlow cache could only be enabled on layer-3 interfaces. However, on the catalyst 6000s (and sup720?), you can get layer-2 bridged traffic between hosts in the same VLAN, using the following config:


ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan

Then, there's this recent thread that makes it sound promising that layer-2 ports could become NetFlow-enabled, though it's not clear (to me) how it works out in practice:
https://supportforums.cisco.com/message/678612#678612

So YMMV. The best bet is to actually attempt configuring it. Odds are the physical interfaces won't accept the "ip route-cache flow" or "ip flow ingress/egress" config.

nitass Tue, 12/15/2009 - 09:45

2. I understand netflow needs to be enabled on every interface because it (netflow v5) works on an ingress basis. Anyway, if there are 4 interfaces; 2 are physical and 2 are logical (gre tunnel) interfaces. What is different between enabling only 2 physical interfaces and enabling all of them? I think maybe just 2 physical interfaces are enough because they are all physical. Please correct me if I misunderstand anything.

Thanks,

Nitass

Actions

This Discussion