cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
707
Views
0
Helpful
2
Replies

netflow command and interface

nitass
Level 1
Level 1

Hi,

I have a few simple questions regarding netflow. Would anyone please clarify them for me?

1. I usually configured netflow with "ip route-cache flow" command. Anyway, I have seen articles mentioning "ip flow ingress" and "ip flow egress" commands. What is different exactly i.e. ip route-cache flow and ip flow ingress|egress? Which one should be used?

2. I understand netflow needs to be configured on every interface to export completely netflow data. Is it correct?

3. If there are 2 physical and 2 logical i.e. tunnel interfaces, how many/which interfaces should netflow be configured? Are only physical interfaces enough?

Please let me know if I misunderstand anything.

Thank you very much,

Nitass

2 Replies 2

yjdabear
VIP Alumni
VIP Alumni

AFAIK:

1. "ip route-cache flow" is deprecated starting in 12.2(18)SXD. See this URL for other IOS trains: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_01.html#wp1049320

2. It's generally correct, due to the unidirectional nature of NetFlow records. Otherwise, you run the risks such as only seeing one direction of a given "conversation".

3. My understanding was NetFlow cache could only be enabled on layer-3 interfaces. However, on the catalyst 6000s (and sup720?), you can get layer-2 bridged traffic between hosts in the same VLAN, using the following config:


ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan

Then, there's this recent thread that makes it sound promising that layer-2 ports could become NetFlow-enabled, though it's not clear (to me) how it works out in practice:
https://supportforums.cisco.com/message/678612#678612

So YMMV. The best bet is to actually attempt configuring it. Odds are the physical interfaces won't accept the "ip route-cache flow" or "ip flow ingress/egress" config.

2. I understand netflow needs to be enabled on every interface because it (netflow v5) works on an ingress basis. Anyway, if there are 4 interfaces; 2 are physical and 2 are logical (gre tunnel) interfaces. What is different between enabling only 2 physical interfaces and enabling all of them? I think maybe just 2 physical interfaces are enough because they are all physical. Please correct me if I misunderstand anything.

Thanks,

Nitass

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: