cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2025
Views
0
Helpful
4
Replies

Help with Netflow analyzer settings on router

whiteford
Level 1
Level 1

I have a Cisco 877 and 837 in VPN modes and I am trying to them to forward traffic info to a Netflow server, but nothing shows on the Netflow Analyzer website. I have added the follow;

router#configure terminal

router(config)#interface Ethernet 0

router(config-if)#ip route-cache flow

router(config-if)#exit

router(config)#ip flow-export destination 192.168.9.101 9996

router(config)#ip flow-export source Ethernet 0

router(config)#ip flow-export version 5

router(config)#ip flow-cache timeout active 1

router(config)#ip flow-cache timeout inactive 15

Router#sh ip flow export

Flow export v5 is enabled for main cache

Exporting flows to 192.168.9.101 (9996)

Exporting using source interface Ethernet0

Version 5 flow records

2004 flows exported in 677 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

Router#

and

Router#sh ip cache flow

IP packet size distribution (132290 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .704 .025 .100 .028 .054 .021 .011 .007 .001 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .002 .037 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

1 active, 4095 inactive, 2014 added

69717 ager polls, 0 flow alloc failures

Active flows timeout in 1 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 21640 bytes

1 active, 1023 inactive, 2004 added, 2004 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-WWW 182 0.0 8 202 0.0 2.6 4.9

TCP-SMTP 377 0.0 1 60 0.0 0.9 15.5

TCP-other 1041 0.0 124 126 3.9 44.5 7.4

UDP-DNS 115 0.0 1 71 0.0 1.4 15.4

UDP-NTP 35 0.0 1 96 0.0 0.0 15.5

UDP-other 108 0.0 1 333 0.0 0.2 15.4

ICMP 155 0.0 2 281 0.0 1.1 15.5

Total: 2013 0.0 65 127 4.0 23.6 10.3

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0 172.39.10.20 Di1 192.168.211.8 06 0695 0A26 382

router#

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Andy

the show ip cache flow clearly shows that the router is generating netflow data. If it is not getting to the analyzer there are a couple of things that I would suggest that you check:

- is there IP connectivity from the router to the address of the analyzer (192.168.9.101)?

- is the analyzer listening on port 9996?

- is the analyzer processing format version 5 packets?

- is there possibly any access list between the router and the analyzer which is not permitting UDP port 9996 to pass?

I would suggest that you do an extended ping from the router and in the extended ping specify 192.168.9.101 as the destination and specify ethernet 0 as the source. And if the extended ping does work then I would suggest an extended trace with destination 192.168.9.101 and source as ethernet 0 (to check on UDP packets instead of ICMP packets).

HTH

Rick

HTH

Rick

Hi Rick, how do I do an extended ping? Plus I don't think from memory I have a permit rule for this, what should the permit rule look like?

Thanks

Andy

For extended ping you must be in privilege mode and you enter the command ping and press enter. The IOS then knows that you want extended ping and it asks a series of questions to get the information it needs to do the extended ping. For this issue the important questions are destination address (192.168.9.101) and when it asks if you want extended commands, you respond yes, and then specify the source address (address of the ethernet interface). Just take the defaults on the other questions by pressing enter.

The format of the permit rule will depend on what platform and on what direction it is being applied.

HTH

Rick

HTH

Rick

It seems the extended ping and trace on port 9996 worked.

From the beginning on the Cisco 837 I have added:

configure terminal

router(config)#interface Ethernet 0

router(config-if)#ip route-cache flow

router(config-if)#exit

router(config)#ip flow-export destination 192.168.9.101 9996

router(config)#ip flow-export source Ethernet 0

router(config)#ip flow-export version 5

router(config)#ip flow-cache timeout active 1

router(config)#ip flow-cache timeout inactive 15

routerconfig)#snmp-server ifindex persist

Still no data on the Netflow site. Says flow's received 5 though.

sh ip flow export:

Flow export v5 is enabled for main cache

Exporting flows to 192.168.9.101 (9996)

Exporting using source interface Ethernet0

Version 5 flow records

9839 flows exported in 1883 udp datagrams

0 flows failed due to lack of export packet

1 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco