Receiving netflow data from unmonitored interface - interface not configured for netflow

Hi,

I believe that this is normal. The single flow record includes information about input and output interface. So if you configure to monitor flows only from one interface on the router, the flows collected will usually have information also about other interfaces that does not have flow monitoring enabled. NTA then detects them as receiving interfaces. You could confirm that this is the case by WireShark capture.

Hope this helps.

I get tons of these, wish I could suppress them but they are normal then way I have my flows set up.

The events should be displayed only once per interface after NTA service starts. If that is not the case and the events are appearing constantly I would go with opening ticket on support.

The "interesting" thing about this is that if we go ahead and add the interface to netflow monitoring, we give it a while (over a day now) to populate data, but when we go to the netflow details page for that interface, we get "Data is not available" for every resource on the page. I think this is the smoking gun to show that it should not behave like this.

I have a ticket open with support and we're supposed to to a webex this morning so I can show them what is happening. I'll update the thread.

Here's what we determined. Stibi is correct about the flow packets do reference the input and output interfaces for the traffic, regardless of which interfaces have flow monitors configured. The notification that we are getting is saying that we received a flow packet that references an interface that we are not managing. This is specifically talking about SNMP monitoring, though, not Netflow monitoring. I don't know if adding them to SNMP monitoring stops the notification, or if it still wants you to add it to netflow monitoring. I did try both, and what I found is that when you add one of these interfaces to netflow monitoring, you do not see any netflow data for those interfaces (yes I did add to SNMP monitoring first, and I did give it plenty of time (12+hours) to accumulate some data)...which further illustrates my frustration with receiving these notification in the first place.

The thing is, most people do not monitor every single interface on a device, at least not any company where I have worked. Typically we monitor uplinks and WAN interfaces, and sometimes access interfaces for critical devices. So this notification seems pointless, unless you are trying to monitor every single interface, and you're relying on this notification the help you identify unmonitored interfaces. Yes, there will always be an ingress interface and an egress interface for any given flow, and one of those interfaces will often be an interface that we are not monitoring.

Support also confirmed we cannot suppress those specific notifications.

One more thing I also noticed, we seem to get these randomly. I have noticed that we do get them when NTA service starts up, but we also receive them after Netflow database maintenance. And sometimes when we receive them, I don't see any obvious trigger.

You are monitor an interface that is connected to a portchannel. This is normal cisco behavior. You can login to node and click on list resources and select the Port-channel1.7 at the very bottom

click the check box to add and then submit

I get the same behavior on physical interfaces. It is not limited to port-channels. As mentioned, if I add the interface to monitoring, it won't matter because I still see no netflow data. So Then I have the problem where a use navigates to the interface expecting to find Netflow data, and the entire page says "No Data Available". Not good.