Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco 1941: any risk in "ip routing" or "ip cef" for NetFlow when bridging

Hi,

This is regarding a Cisco 1941 router.  version 15.1   ipv4 only.

I would like to enable Netflow v9 for use with PRTG monitoring of bandwidth usage.

I tried the instructions at http://kb.paessler.com/en/topic/563-do-you-have-any-configuration-tips-for-cisco-routers-and-prtg   and the very first step fails because I have

no ip routing
no cef

 

in my running-config.  Specifically, this

interface GigabitEthernet 0/1
ip route-cache flow
exit 

fails with error message  "ip routing not enabled".

I have read conflicting information about whether I need to change either or both of those lines.  And I have scanned enough on http://www.cisco.com/c/en/us/td/docs/ios/15_1/release/notes/15_1m_and_t/151-4MCAVS.html to be afraid to just try it.

Hopefully this is enough of my config for someone to give some useful feedback.  Note BRIDGING.

interface GigabitEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip route-cache
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0/1
 bandwidth 10000
 ip address 201.201.201.51 255.255.255.0
 ip access-group 110 in
 ip access-group 120 out
 no ip redirects
 no ip unreachables
 no ip route-cache
 load-interval 30
 duplex auto
 speed 10
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
!
ip default-gateway 201.201.201.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export version 9
ip flow-export destination 201.201.201.89 9991

 

Looking forward to comments from anyone with experience doing something similar.

Thank you.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

We do not know anything about

We do not know anything about your environment or about why you have decided to disable ip routing and enable bridging. But there is probably a reason why you have done this.

 

The importance of this is that NetFlow data is generated as part of making routing decisions. And you are preventing your router from making routing decisions since you have disabled ip routing. So I do not see any way that you can get NetFlow from this router as long as you have disabled ip routing.

 

HTH

 

Rick

10 REPLIES

Now reading Network Flow

Now reading Network Flow Analysis by Michael W. Lucas:

http://www.amazon.com/Network-Flow-Analysis-Michael-Lucas-ebook/dp/B003VTZXDG

Hall of Fame Super Silver

We do not know anything about

We do not know anything about your environment or about why you have decided to disable ip routing and enable bridging. But there is probably a reason why you have done this.

 

The importance of this is that NetFlow data is generated as part of making routing decisions. And you are preventing your router from making routing decisions since you have disabled ip routing. So I do not see any way that you can get NetFlow from this router as long as you have disabled ip routing.

 

HTH

 

Rick

Thank you Rich!  Yes, that

Thank you Rich!  Yes, that link between NetFlow and routing-not-bridging is beginning to sink in for me. 

My reason for bridging is that I do not need VPN or NAT, I just need the subnet (ip) traffic to flow from gi0/1 to gi0/0 and back.  I have been reading and re-reading this article, http://www.netcraftsmen.net/resources/archived-articles/428-integrated-routing-and-bridging.html, and it seems that "concurrent" or "integrated" routing and bridging may be the way to go.

I am concerned that, to the extent that the ip traffic is bridged (not routed), it will be invisible to NetFlow, for exactly the reason that you describe. So even if I set up a CRB or IRB, I might not get useful NetFlow data.

Or maybe there is a way to configure ip routing so that there are hardly any decisions made, rather the subnet goes straight through in both directions.  I fear that is such a simple case that no one makes examples for it.  I have been assigned half of a class C subnet, e.g. 209.201.225.1 through .127.  I am not terribly short on ipv4 numbers so I can use up a number for the gi0/1 and/or gi0/0 and/or BVI interface(s). 

For ~14 years a Cisco 2621 router has been used "here" purely for the purpose of traffic shaping. I recently upgraded to the Cisco 1941 and am keen to take advantage of traffic peak shaping and NetFlow v5 or v9.  I took the config from the 2621 and used it as the basis for my config for the 1941.

I am (obviously) very new to all this and self-taught.  My expert is currently ridiculously overbooked so I am trying to figure it out.  In other words, I will not feel offended if you need to state the "obvious" to steer me in a useful direction.

Ann

Hall of Fame Super Silver

Ann I am glad that you found

Ann

 

I am glad that you found the article from our website and hope that you find it helpful. What you describe is a very unusual situation and no doubt is difficult to find answers for it. It seems to me that the key thing here is that you have the same subnet configured on both interfaces and therefore need to bridge the IP traffic.

 

As I explained in my first response NetFlow data is generated as a byproduct of making routing decisions. If you need to bridge this IP traffic then there is no routing and therefore no NetFlow. Implementing Concurrent Routing and Bridging (I think a less good alternative) or Integrated Routing and Bridging (a better alternative but still not a solution for you) will not change the basic fact that you are bridging the IP traffic.

 

If NetFlow is important to you then you need to find a way to introduce routing. Perhaps it could be possible to divide your subnet in half with a half on each interface. Then the router would have two connected subnets and could route between them (if you enable ip routing and cef). The routing decision would be extremely simple for two connected subnets and would not require any static routes or any dynamic routing protocol. But it would require a different way to organize your network and I do not know how big a challenge that would be.

 

HTH

 

Rick

Rick,

Rick,

I am glad to have CRB and IRB ruled out.

Do you think traffic will flow faster or slower if I change from bridging to routing? I am starting to think it might be much faster since the protocol does not need to change.  That line about the bridge running IEEE means that the data was all changed from ip to ieee and back to ip, right?

On the gigabit 0/1 side, I think I only need one number, 209.201.225.1.  I need the rest of the half subnet on the gigabit 0/0 side.

Netmask:   255.255.255.128 = 25  11111111.11111111.11111111.1 0000000
Wildcard:  0.0.0.127             00000000.00000000.00000000.0 1111111

This is in a datacenter where the 1/2 class c is granted by the ISP and is physically connected via cat-5 (or probably cat-6) to the gigabitethernet0/1 interface, and the 0/1 goes on to a cisco switch that goes to various internet servers.

I know that most people would use NAT for the servers but since all servers need to be publicly accessible, I don't want to put them on 192.168. or 10.x and then have to map ports etc etc.   As long as .2 through .126 come through on the gi0/0 interface, it should be fine.

Can you point me to an example config that accomplishes something similar to this?

Ann

 

 

Rick,If I did change to

Rick,

If I did change to routing, would I then need to reconfigure the gateway for all the servers?  Currently they all use gateway of .1 which is on the ISP side of the gi0/1 interface. 

Maybe that is what you were thinking when you wrote about reconfiguring my network.  That would be very difficult.

Ann

Hall of Fame Super Silver

Ann Let me start with

Ann

 

Let me start with something that is sort of "obvious"  to those of us with more experience but not to those who are still in the early stages of learning about networking. It has to do with that layered model that many of us struggle with as we are learning about networking. The thing is that Ethernet (and IEEE) are layer 2 constructs while IP is a layer 3 construct. What that really means is that as data flows through your network there is an Ethernet header which carries the layer 2 addressing and there is also an IP header which carries the layer 3 addressing. Where that becomes important is that bridging makes forwarding decisions based on layer 2 addressing while IP routing makes forwarding decisions based on layer 3 addressing.

 

So if you enable bridging your router is making forwarding decisions based on the Ethernet addresses. If you enable routing your router will make forwarding decisions based on the IP address. It is certainly not a question of IP becomes IEEE becomes IP.

 

Given what I think I understand about your environment I would suggest that changing to be able to use NetFlow may not be worth it because it would require changing gateways on all the devices.

 

HTH

 

Rick

That is the most useful bit

That is the most useful bit of info about layer 2 and layer 3 that I have read in several weeks!  AH HA!

Thank you for the conversation.

Hall of Fame Super Silver

Ann It has indeed been an

Ann

 

It has indeed been an interesting conversation. And I am glad that my suggestions have been helpful. Thank you for using the rating system to mark this question as answered. That will help to identify to other readers in the forum that there is helpful information here.

 

HTH

 

Rick

I just got off the phone with

I just got off the phone with a Cisco expert and that cleared up quite a few things. For the benefit of others who my stumble here later:

1. Most of my config was doing nothing because I was not routing. Not only will NetFlow never work with bridging, the ACL stuff will not do anything either.

2. I need to have my ISP assign 4 ip numbers, usually from another subnet, for use on the 0/1 interface, and then I can route.  The rule about not having the same subnet on two interfaces is a real rule.

3. The gateway .1 number will move from my ISP into my router, therefore I will not need to reconfigure all the servers.

Over & out.

391
Views
10
Helpful
10
Replies