Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Net Flow "ip flow route-cache flow"

Quick question on net flow. I was configuring net flow for management to SolarWinds. I noticed that "ip flow route-cache flow" doesn't work on the interface of the ASR 1001 router. From what I understand, "ip flow route-cache flow" enables net flow to use CEF on the interface. So, I'm assuming that the command has been dropped because CEF is the default on the ASRs?

Thanks, Pat.

  • LAN Switching and Routing
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Net Flow "ip flow route-cache flow"

Patrick,

No worries on the rating

Solarwinds updates when it gets the data, but it always defaults to the "last 15 minutes." I always set up my routers to hold a cache with top talkers. You don't have to do much more than what you already have other than enabling top talkers:

!

interface Serial0/2

ip address 172.12.0.2 255.255.255.0

ip flow ingress

ip flow egress

clock rate 2000000

end

ip flow-top-talkers

top 5

sort-by bytes

!

R2#sh ip flow top

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Se0/2         172.12.0.1      Se0/0         172.47.0.7      01 0000 0800   500

Se0/1         172.47.0.7      Se0/2*        172.12.0.1      01 0000 0000   500

2 of 5 top talkers shown. 2 flows processed.

Here's a document that further explains it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080259533.html#wp1131762

The SrcP and DstP are in hex. There are hex -> decimal calculators out there that you can use to find the port information. For example, if DstP was 0050, that would be port 80.

HTH,

John

HTH, John *** Please rate all useful posts ***
15 REPLIES

Net Flow "ip flow route-cache flow"

Patrick,

Try "ip flow ingress" or "ip flow egress" (depending on the direction that you want).

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Net Flow "ip flow route-cache flow"

Thanks John.

I want to enable netflow to provide me with info on the bandwidth usage of individual remote users. We have 250, 881s in the field that connect back via DMVPN to two headend routers. I beleive I should enable net flow on the interfaces on the head ends that face the remote 881s. Is this correct?

Will this do the trick?:

ip flow-export source gigabit0/0/0(interface facing remote users)

ip flow-export version 9

ip flow-export destination 10.10.10.10 port 2055

interface fastethernet0/0
ip flow egress
ip flow ingress

Is there more I should configure on the head ends or, is the information parsed by SolarWinds?

Thanks, Pat.

Net Flow "ip flow route-cache flow"

Patrick,

Netflow should be enabled on the interface that you expect the traffic coming in on or going out of. The flow-export source that you have marked as interface facing remote users should probably be the interface that netflow is configured on. Where is int fa0/0 in relation to this? You may not need it on fa0/0 at all.

John

HTH, John *** Please rate all useful posts ***
New Member

Net Flow "ip flow route-cache flow"

Sorry, bad config example

ip flow-export source gigabit0/0/1(interface facing internal HQ network)

ip flow-export version 9

ip flow-export destination 10.10.10.10 port 2055

interface gigabitethernrt0/0/0(interface facing remote users)

ip flow egress
ip flow ingress

Thanks, Pat.

Net Flow "ip flow route-cache flow"

That looks good. You can also enable top talkers to see what you should be seeing on your collector:

ip flow-top-talkers

sort bytes

top 5

Then to see it, you'd do a "sho ip flow top".

I'm not sure if you're using Solarwinds now as a collector for other devices, but Solarwinds won't show you any data until you add it as an authorized source. In other words, Orion will get the data and just give you an error that it's unknow. They you have to click on the node that it sees the data coming from and add it to Netflow.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Net Flow "ip flow route-cache flow"

So the device that I would have to add to netflow on SolarWinds would be the Headend routers, correct?

Also, I have to enable things that I want to monitor on the router? Such as: top-talkers?

I thought netflow was a generic dump to Solarwinds but, you make it sound like I can and should tweak the flow to what I want SolarWinds to get?

If this is true, do you know of a good doc that explains commands for different flows to send to SolarWinds?

Thanks, Pat.

Re: Net Flow "ip flow route-cache flow"

So the device that I would have to add to netflow on SolarWinds would be the Headend routers, correct?

That's correct. Solarwinds will see new sources, but the netflow sources need to be managed by Solarwinds. When you click on the Netflow tab, you'll see the "Manage Sources" button and you should be able to see what sources are sending to your Solarwinds server.

I have to enable things that I want to monitor on the router? Such as: top-talkers?

Top talkers isn't necessary, but I use them everywhere. The router will update netflow cache faster than Solarwinds does, so that's why I enable it. Sometimes I'll have a location ask me what's taking up their link, so I can get in the router faster than I can Solarwinds. Solarwinds is good for historical data though because I've had to find out what was going on at 3AM when a location's link was saturated.

I thought netflow was a generic dump to Solarwinds but, you make it  sound like I can and should tweak the flow to what I want SolarWinds to  get?

It's a generic dump of everything that's going through the router and the sessions that the router sees. Solarwinds can chart the stuff for you where top talkers is cli-based. I'm not aware of being able to send selective flows (like only capture http traffic) with netflow.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Net Flow "ip flow route-cache flow"

I wanted to give you  5 stars but, it would let me correct my selection. Sorry about that. Thanks for the info.

So, you saying any info  that I want to retrieve quickly, I could configure to send to the net flow internal buffer like "top-talkers" and view it quickly via cli?

Do you have a link with these types of settings.

thanks, Pat.

Net Flow "ip flow route-cache flow"

Patrick,

No worries on the rating

Solarwinds updates when it gets the data, but it always defaults to the "last 15 minutes." I always set up my routers to hold a cache with top talkers. You don't have to do much more than what you already have other than enabling top talkers:

!

interface Serial0/2

ip address 172.12.0.2 255.255.255.0

ip flow ingress

ip flow egress

clock rate 2000000

end

ip flow-top-talkers

top 5

sort-by bytes

!

R2#sh ip flow top

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Se0/2         172.12.0.1      Se0/0         172.47.0.7      01 0000 0800   500

Se0/1         172.47.0.7      Se0/2*        172.12.0.1      01 0000 0000   500

2 of 5 top talkers shown. 2 flows processed.

Here's a document that further explains it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080259533.html#wp1131762

The SrcP and DstP are in hex. There are hex -> decimal calculators out there that you can use to find the port information. For example, if DstP was 0050, that would be port 80.

HTH,

John

HTH, John *** Please rate all useful posts ***
2836
Views
24
Helpful
15
Replies
This widget could not be displayed.