I have configured flexible Netflow on our routers. An analysis of the cache reveals that my pc is communicating with the router via skype, however I'm not running skype on my desktop.
IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT INTF INPUT IP PROT flows bytes time first app name
10.44.108.168 172.17.140.77 51956 161 Tu0 17 1 544 20:07 cisco skype
Can someone please tell me why I'm seeing skype being communicated between my desktop 10.44.108.168 to the router on 172.17.140.77?
I've seen similar behaviors with the first release of NBAR in NetFlow. NBAR2 in the latest IOS does a better job of identifying applications. Perhaps you can try it.
NBAR2 uses protocol packs to update application support. They are available under the "Software on Chassis" section of the downloads page for your platform (assuming it's an ISR G2 or ASR with the necessary license - those are the platforms with NBAR2 support).
See this example for the 2921: link.
For lots of info on AVC, NBAR2, FNF, licensing requirements, how to load and use protocol packs, etc. please see the Cisco Docwiki page on AVC.
One quick other question.
Can you tell me if its possible to configure Netflow Exporter with more than one destination?
Flow Exporter NETFLOW-TO-ORION:
Description: User defined
Export protocol: NetFlow Version 9
Destination IP address: 22.214.171.124
Source IP address: 126.96.36.199
Source Interface: Ethernet1/3
Transport Protocol: UDP
Destination Port: 9995
Source Port: 53405
Output Features: Not Used
I would like to add another destination to the above Flow Exporter
A given exporter only goes to a single destination. You can create multiple exporters for a given monitor. (up to 10 with FNF, 2 with original Netflow)
See the configuration guide here.
Please rate helpful posts and marked your question as answered once it has been.
Thanks again mate. You've been great.
I wonder if I could trouble again regarding Flow Exporters values?
Can you recommend timeout values. For example I think Cisco suggests the following:
Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.
|Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. However, if you choose a value greater than 250 seconds, NetFlow Analyzer may report traffic levels that are too low.|
Would you go along with this?
Absent any specific recommendations to the contrary from your Netflow management tool vendor, the Cisco recommendations are generally fine.
If you're using SolarWinds NTA, they have some suggestions on their technical references here:
I was told that NBAR2 is the result of upgrading to IOS XE 3.7 on the ASR1000 or to IOS 15.2(4)M on your ISR routers.
To configure multiple exporters, use Flexible NetFlow. It allows you to setup multiple (possibly unlimited) Flow Exporters and assign them to a Flow Monitor. Make sure you add all the exporters in step two of the Flexible NetFlow configuration process. Reach out to the team at plixer.com if you need help.