jswan

"show module" gets you the Supervisor engine model. You can then use the Cisco Feature Navigator to find out if your hardware/software combination supports NetFlow, and what versions.

Do you see the traffic correctly in the CLI with "show flow monitor FlowMonitor1 cache"? If not, the problem is most likely with your NetFlow config on the router. If you do see it correctly in the CLI but not in NTA, probably something is going wrong in NTA.

Sure: * Open Windows Perfmon. * Click '+' to add a counter. * Select the Solarwinds NetFlow performance object. * Select the appropriate counter for your environment (probably "Netflow v5 Flows Received per Second"). * Click "Add".

Perfmon is the native Windows Performance Monitor application that's installed with Microsoft server platforms. You can use it to track lots of performance metrics, including a variety of numbers related to NTA. When I first read your post I thought you were asking about PDUs/second metrics on the NTA server, which you…

Another thing to keep in mind about the C3KX-SM-10G is that it only allows you to collect NetFlow data about traffic that traverses the uplink ports on the module. You still can't get port-to-port NetFlow data if the traffic doesn't cross the service module ports. One other solution is to port-mirror your traffic to a…

That's pretty weird. As you probably know, a "protocol unreachable" is supposed to mean that the IP protocol (i.e., the layer 4 protocol) is unknown to the device. Are there any clues in the data field of the ICMP error packet? The ICMP error message should include a copy of the header of the offending packet which…

I've seen this too. I didn't spend a bunch of time on it, but I did pull some packet captures to try to figure out what's going on. From the timestamps it looks like the offending packets are ones that have a different format in the community string. For example, if the SNMP community string is "foo", sometimes NPM sends…

No, I've never tried VTIs. It's been on my list of topics to learn about for a long time, but I haven't made time for it yet.

I don't know of any way to do what you're asking, but you might consider temporarily changing the primary IP address back to the old one, then use NCM to automatically update your ACLs for you.

That looks right, although I'm not sure how NTA handles the data from the "ip flow ingress layer2-switched" command. Things to check: 1) Do you have data in your flow cache ("show ip cache flow")? 2) Does "show ip flow export" look like you are sending flow exports? 3) If you run a packet capture for UDP port 2055 on the…

I haven't tried it with NetFlow v9. With v5 I have a bunch of tunnel interfaces with just "ip flow ingress|egress" on them, and it seems to work fine (the tunnel interfaces do have to be monitored by NPM, of course). I assume you're using the default GRE encapsulation on your tunnels and not something weird like IPinIP. I…

I've been wondering lately if better NetFlow traffic profiling could help with more complicated service measurements. For example, we have a service for a group of internal users that is pretty complex: * Users at a remote site connect to a Citrix server in a central data center. * Once on the Citrix server, they run a…

Please do! I was thinking about adding an option to print the details of the request object in each example. I'll update the gist as I have time, but feel free to do whatever you like with it.

The single numbers are 12-digit zero-padded versions of the IPv4 address: 10.1.1.108 10.1.1.109 You'll need to 1) reformat them with SQL, which is beyond me, 2) post-process them with other tools (I use Python for this kind of thing), or 3) train your eyes to read that format.

One approach I've found useful to filter out syslog noise is the "artificial ignorance" technique. I believe this technique was named by Marcus Ranum, probably close to 20 years ago by now. The idea is that you filter out stuff that you know isn't interesting, and refine that filter list over time. The simplest way is with…

I've got to ask: why do you want to reload devices after a particular number of days? They're not like Windows machines... I have routers that have been up for years with no problems. If you need to trigger a reload based on a certain anomalous event like a MALLOC syslog, you can do that natively in IOS with the Embedded…

Check this thread:

Just a followup: the reason that GRE tunnels almost always show "up/up" is that the state of the tunnel's line protocol is controlled by the presence or absence of a *route* to the tunnel destination. Thus, if a) the IP address of the tunnel destination is on the Internet, and b) you have a default route pointing to the…

I have heard the 1-5% number multiple times from Cisco engineers too. It fits with my experience; we are at around 2% on most of our links.

I am monitoring this OID for active calls on a PRI: 1.3.6.1.4.1.9.10.19.1.1.9.1.3 (CISCO-POP-MGMT-MIB:cpmDS1ActiveDS0s) You have to add the slot/port number to the end; e.g. "1.3.6.1.4.1.9.10.19.1.1.9.1.3.0.0" for slot 0/ port 0. Add this as a UnDP and plot it with whatever graph you like.

As an interim solution, something I've been doing is setting up custom HTML resources that have direct links to a filtered search URL, along the lines of what we've been discussion in the "complex searches in NTA" thread. Perhaps this can get what you need until the new feature comes out.

Unfortunately the Cat 4500 series is one of the few platforms that doesn't support IP SLA. You can get it in recent IP Services images for the Cat 3560/3750, and in almost any router IOS image. We use a spare 1800 series router to do this, but even an old 2600 can handle 15-25 IP SLA operations per second before the CPU…

Your only option then is to set up nProbe on the Windows machine and turn it into a NetFlow exporter.

Thanks--please update the thread with what you find out. We are considering the purchase of some 4500s with 7Es and it would be nice to know if I need to replace NTA with something else as well.

This page has links to a few other documents on Netflow: www.cisco.com/.../tsd_technology_support_protocol_home.html The Wikipedia entry has a good overview, and links to some of the IETF work on flow specifications: en.wikipedia.org/.../Netflow

I don't know why you're seeing packets with zero source/destination addresses. As you say, you should be seeing the addresses of the crypto endpoints. By chance are you trying to export the flows *through* a tunnel configured with a crypto-map statement on the same router than generated the flow export packets? Last I…

I think this is a bug--it happens to me all the time; I'm running NTA3.5 SP2

Even though there are security problems with SSHv1, it would be nice to see the SCP server support it. Cisco IDS appliances don't yet support SCP with SSHv2. The bug on this (CSCse05771) has been open through two major revisions of the IDS code, so I'm not holding my breath.

Standard GRE tunnel interfaces *should* work just fine. The thread that Andy references is about using IPSec tunnels on physical interfaces, which doesn't work. 2801-VPN#sh run int tu 5 | i interface|flow interface Tunnel5 ip flow ingress ip flow egress 2801-VPN#sh ip flow int FastEthernet0/0 ip flow ingress ip flow egress…

FYI, nProbe is not a flow forwarder; it reads a raw packet flow and creates flow export records based on it. I believe the original poster was asking for the feature sometimes known as "flow fan-out": in this feature, a collector is able to reproduce flows and send them to other collectors, with the option to preserve or…