Documentation - Using Router as Netflow Probe

Unanswered Question
Sep 26th, 2010
User Badges:

Scenario:


I currently have Netflow enabled on all of my routers in my network. 


However, I have a Cat3750, which does not support Netflow.  The 3750 is at a larger remote site and I need visibility into the traffic that is traversing internal to that switch.  All VLANs are configured on the 3750.  I have an extra Cisco router, which I have theorized I could use as a Netflow probe.


Here is the idea, please excuse the crudeness of the diagram.

2811-Netflow-Probe.png


The 2811 Router has to FastEthernet ports.

F0/0 would be configured with no IP Address and would be connected to the 3750 on G0/1 with no VLANs configured.

F0/1 would be configured with a static IP and connected to the 3750 on port G/02 with the appropriate VLAN to ensure network connectivity.


On the 3750, configure a monitor session with a destination of Interface G0/1.

On the 2811, configure netflow to sent to the Netflow server and set F0/0 for ip flow ingress.


Obviously, it doesn't work.  But I cannot figure out why.


Thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jakewilson Sat, 10/02/2010 - 05:19
User Badges:

Hi Jeff,


I'm not sure the Cisco router will send NetFlow for packets it sees unless it routes them.  Hopefully someone else can confirm this but, I don't think the router will passively snoop on packets and send out NetFlow datagrams on what it sees.


I suggest an nProbe from ntop.org.  It is designed for this type of application and it is the first product I've seen to export URL details:



and latency information:


You might like these extra details.


The above is all in IPFIX  (ie. NetFlow) for the flows it sees.  Scrutinizer NetFlow Analyzer is the product to report on the data with.


I hope this helps.


Jake

Giuseppe Larosa Sat, 10/02/2010 - 06:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,

as Jake has noted netflow accounting on a router happens for flows that are processed/routed by it.


You should take his suggestion for a dedicated solution that can act as a probe


My customer is using nbox devices that run nprobe with good results.


Hope to help

Giuseppe

jkirby Tue, 07/26/2011 - 06:53
User Badges:

Sorry to jump on an old thread but after finding libpcap on CentOS dropping too many packets I also thought about using a couple of old 2800's as netflow probes.  I realized that the router won't export any information unless it routes the flows but what if we set up the router as the OP designed then added a single static route like:


ip route 0.0.0.0 0.0.0.0 Null0


Turn off all dynamic routing and have only this one static route and one more specific route for the admin interface.  Make sure that the admin interface is NOT in a subnet the probe side will ever see to prevent massive routing loops.  I'm thinking this should work.  I have a 2811 and 2821 sitting on my desk just waiting to try this out.  Again, old thread but I'll update anyway with my results.


I'm guessing since all the data is coming IN from the router's view then only ingress netflow is needed on that interface.


jk

Actions

This Discussion