Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
2
Replies

NetFlow NetMatrix subnet mask (src_mask) zero!!

hbadbanchi
Level 1
Level 1

‎03-08-2003 07:14 PM - edited ‎03-02-2019 05:42 AM

Hi,

I am gathering network traffic stats using NetMatrix thread definition of NetFlow.

There are some entries in the output file which I can not understand:

SOURCE defrouter|FORMAT 2|AGGREGATION NetMatrix|PERIOD 5|STARTTIME 1046706600|ENDTIME 1046706900|FLOWS 6900|MISSED 0|RECORDS 125

AGGREGATION_DEFINITION src_subnet|src_mask|input|dst_subnet|dst_mask|output|pkts|octets|flows

172.17.88.94|0|2|172.16.0.0|16|1|1|78|1

My question is why the src_mask of this record has been set to zero?

Flows for the same IP (172.17.88.94) aggregated in CallRecord thread, for the same time period, look like this:

SOURCE defrouter|FORMAT 2|AGGREGATION CallRecord|PERIOD 5|STARTTIME 1046706600|ENDTIME 1046706900|FLOWS 6900|MISSED 0|RECORDS 3995

AGGREGATION_DEFINITION srcaddr|dstaddr|srcport|dstport|prot|tos|pkts|octets|flows|starttime|endtime|activetime

172.17.88.94|172.16.128.20|137|137|17|0|1|78|1|1046706834|1046706834|0

172.16.254.250|172.17.88.94|139|1292|6|0|13|2893|1|1046706834|1046706834|104

172.17.88.94|172.16.254.250|1292|139|6|0|15|2044|1|1046706834|1046706834|308

As can be seen there were other flows for this IP which have been correctly aggregated in corresponding network records in NetMatrix thread. Only the first record (UDP with activetime=0) has not been correctly aggregated and have resulted in a separate single record with subnet mask zero!

I would be gratefull if anyone can help me understand the reason.

Thanks for any comments.

Regards,

H. Badbanchi

hbadbanchi@webasto.de

Labels:
0 Helpful
2 Replies 2

murabi
Level 4
Level 4

‎03-14-2003 07:25 AM

I would suggest you to check your aggregation configuration on the router or on the NetFlow collector.

0 Helpful

hbadbanchi
Level 1
Level 1
In response to murabi

‎03-14-2003 09:48 AM

Hi.

I have no idea for what should I look for in th configurations.

Here is the relevant part of the router config:

==================================

ip subnet-zero

ip flow-cache timeout active 1

ip flow-cache feature-accelerate

!

interface FastEthernet0/0

description connected to LAN Stockdorf 172.16

ip address 172.16.128.1 255.255.0.0

no ip redirects

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet0/1

description connected to router network

ip address 172.17.1.1 255.255.255.0

no ip redirects

ip route-cache flow

speed 100

full-duplex

!

ip flow-export source FastEthernet0/0

ip flow-export version 5

ip flow-export destination 172.16.127.247 9996

ip flow-aggregation cache protocol-port

cache timeout active 1

export destination 172.16.127.247 9993

!

ip flow-aggregation cache prefix

cache timeout active 1

export destination 172.16.127.247 9994

enabled

!

ip flow-aggregation cache prefix-port

cache timeout active 1

export destination 172.16.127.247 9995

enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 Null0 254

==================================

and ofcourse this default route to null dev, follows by several static routes for those destinations which I want the router to switch the packets.

On the Flow Collector host (172.16.127.247) the NetMtrx thread has been defined like this:

==================================

Filter A-no-dropped

permit Prot 88

deny DstAddr 0.0.0.0 0.0.0.0

deny SrcAddr 0.0.0.0 0.0.0.0

permit DstAddr 0.0.0.0 255.255.255.255

permit SrcAddr 0.0.0.0 255.255.255.255

Filter NxA-no-dropped

permit Prot 88

deny NextHop 0.0.0.0 0.0.0.0

deny DstAddr 0.0.0.0 0.0.0.0

deny SrcAddr 0.0.0.0 0.0.0.0

permit NextHop 0.0.0.0 255.255.255.255

permit DstAddr 0.0.0.0 255.255.255.255

permit SrcAddr 0.0.0.0 255.255.255.255

Thread NETMTRX

Filter Nx-no-dropped

Filter A-no-dropped

Aggregation NetMatrix

Period 5

Port 9996

State Active

DataSetPath /opt/CSCOnfc/Data

Compression No

Binary No

MaxUsage 0

==================================

If the zero src_addr of this special flow is because of any of the above definitions, then how come other flows involving the same source and/or destinations have been correctly aggregated in their corresponding subnet records.

I believe there should be something with this flow on the router itself, which has resulted in a src_addr=0 flow record. It can not have anything to do with the thread definition on the collector (logically, I mean).

As we can see in the CallRecord thread the router HAS actually reported a src_addr=0 for this flow. So the NetMtrx has (correctly) acted as it should.

The question is that why the router has reported src_addr=0 for this flow.

Thanks for your help.

Regards,

H. Badbanchi

0 Helpful
Customers Also Viewed These Support Documents