Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

wuh
New Member

Netflow question

Hi,

I configured netflow a router 1841, which have two Ethernet interfaces in work. on the interface FE0/1, I enabled netflow, on FE0, i didnt. but when I use my application to look the traffic, it shows the traffic on FE0/0. why?

thanks,

Han

interface FastEthernet0/0

description Connected to

ip address 10.X.X.5 255.255.255.0 secondary

ip address 10.X.X.5 255.255.255.0

speed 100

full-duplex

end

interface FastEthernet0/1

description Connected to sib-b32-sw2 Fa0/8

ip address 10.x.x.202 255.255.255.252

ip route-cache flow

ip tcp adjust-mss 1400

speed 100

full-duplex

crypto map abc-map

end

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Netflow question

Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".

Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).

Hall of Fame Super Silver

Re: Netflow question

Hello Han,

so you are using an external tool that collects netflow data exported by the router.

Be aware that among the exported data there are the following:

NetFlow Flows: Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address

•Destination IP address

•Source port number

>>>•Destination port number

•Layer 3 protocol type

•Type of service (ToS)

•Input logical interface

These seven key fields define a unique flow.

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1056621

So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.

the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.

Notice that Joseph had explained this.

Hope to help

Giuseppe

10 REPLIES
Super Bronze

Re: Netflow question

From your partial config, it looks more like you've enabled flow caching on one interface rather than netflow (statistics).

What is your "application" looking at? The flow cache or netflow stats?

wuh
New Member

Re: Netflow question

traffic volume and traffic percentage in protocol level. flow cache is the command to enable netflow on physical level, right?

thanks,

Han

Hall of Fame Super Silver

Re: Netflow question

Hello Han,

you should see traffic statistics about traffic inbound fas0/1 locally on the router itself.

verify if the field where you see f0/0 is the outgoing interface.

Hope to help

Giuseppe

wuh
New Member

Re: Netflow question

Giuseppe

f0/0 is to outside switch, f0/1 is to a small switch that connects to a couple of server PCs.

I do see both on our Mazu, the traffic application, that uses Netflow. Strange, huh?

thanks,

Han

Hall of Fame Super Silver

Re: Netflow question

Hello Han,

so you are using an external tool that collects netflow data exported by the router.

Be aware that among the exported data there are the following:

NetFlow Flows: Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination-both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address

•Destination IP address

•Source port number

>>>•Destination port number

•Layer 3 protocol type

•Type of service (ToS)

•Input logical interface

These seven key fields define a unique flow.

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1056621

So even if netflow is enabled only on f0/1 you can see f0/0 on reports for sure if it is the only exit point from router to outside world.

the tool from the snmp ifindex = destination port number can easily show f0/0 on reports.

Notice that Joseph had explained this.

Hope to help

Giuseppe

Super Bronze

Re: Netflow question

Yes, the command to activate flow cache on an interface also activates the netflow stats. However, there are other options for "managing" netflow stats, not shown in your partial config. These might impact what your "app" "sees".

Coming back to your original question, although you've only activated netflow on one interface, believe stats will note other interface used by flow (SrcIf and DstIf), although flow direction important (and dependent on other [later IOS] netflow configuration options).

wuh
New Member

Re: Netflow question

Thanks,

"believe stats will note other interface used by flow (SrcIf and DstIf), "

How so? please explain a little.

Han

Super Bronze

Re: Netflow question

A flow enters an interface and leaves an interface, the source interface (arrival/ingress) and the destination interface (departure/egress). Even though you've only activated netflow on one interface, it provides information on two interfaces. This is likely why you're seeing netflow stats for the interface you haven't activated netflow on.

wuh
New Member

Re: Netflow question

Joe:

As a matter of fact, I can the vlan interface on the application as well.

By the way, how does Netflow manage the info on a router?

Thanks,

Han

Super Bronze

Re: Netflow question

"By the way, how does Netflow manage the info on a router? "

Unsure what you're exactly asking. Netflow maintains a cache. However the first packet of a flow was treated, subsequent flow packets are provided the same final end result, w/o all the reoccuring processing. For instance, I believe if an ACL is involved, the ACL is applied to the packet's first packet and just the result is applied to subsequent packets.

Besides saving processing resources for a packet, netflow accumulates stats on the flow. These can be summarized and/or exported in different ways.

177
Views
0
Helpful
10
Replies