Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
3
Replies

netflow without a Layer3 Interface?

rtjensen4
Level 4
Level 4

‎08-17-2010 10:28 AM - edited ‎03-06-2019 12:31 PM

Hi all,

I have somthing strange showing up via Netflow.

I have a 4503-E running 12.2(53)SG1. It has 5 VLANs:

Vlan 240: 192.168.240.1/24

Vlan 241: 192.168.241.1/24

Vlan 242: no IP, no SVI, but has 192.168.242.0/24 traffic on it.

Vlan 243: 192.168.243.1/24

Vlan 503: Vlan used to peer with my WAN: 198.98.x.x/30

Here is my NetFlow config for it:

ip flow ingress infer-fields
ip flow ingress layer2-switched
ip flow-cache timeout inactive 10
ip flow-cache timeout active 15
ip flow-export source Vlan240
ip flow-export version 5
ip flow-export destination 192.168.59.243 2055
ip route-cache flow infer-fields


Strangely, in Orion, which we use for Network monitoring / Netflow collecting, it's showing traffic between two hosts in the 192.168.242.0/24 subnet, 242.101 and 242.50. It's also reporting that traffic as being on VLAN 503. These hosts are valid hosts, but they are in-fact on VLAN 242, and I've verified that the 192.168.242.0/24 subnet does not exist in my network any other place. These hosts are able to communicate without issues or latency, so it doesn't seem to be impacting the traffic, it looks to be just how its being reported.

Any idea why: A. This traffic is being reported and B. Is being reported on the wrong interface?

I was under the impression that Netflow required a Layer3 interface? I could be wrong.

I'm attaching a screenshot from the netflow collector just for grins and giggles.

Labels:
Preview file
30 KB
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-17-2010 11:27 AM

Hello RtJensen4,

netflow export packets use SNMP ifindex to indicate input and output interface of an observed flow.

Have you configured snmp ifindex persist?

if not, has the system been rebooted recently?

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/53SG/configuration/nfswitch.html#wp1038670

you can use, if supported,

show snmp mib ifmib ifindex 

to see a list of current ifindex values for existing interfaces including SVI

Hope to help

Giuseppe

0 Helpful

jakewilson
Level 1
Level 1
In response to Giuseppe Larosa

‎08-17-2010 06:05 PM

I'll bet Giuseppe is correct.  We have seen many hardware vendors make this mistake when they

first start supporting NetFlow exports.  Check out this post on "NetFlow reports wrong interface instances."  We have made provisions for vendors who make this mistake.

Please check out Scrutinizer for NetFlow Analysis next time.  

0 Helpful

rtjensen4
Level 4
Level 4
In response to Giuseppe Larosa

‎08-18-2010 05:16 AM

Ok thanks. I think that must be the case. The device hasn't been restarted, but

I did upgrade to a new version of the Netflow collector, so maybe that's the issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card