13 Replies Latest reply on Aug 21, 2007 3:59 PM by kbrewer

    Configure Cisco Router for Netflow


      I have spend many days trying to get my Cisco routers (12.4) working with the Network Traffic Anaysis and nothing seems to be working (no firewalls are blocking).

       Can someone provide a cisco config that actually works with this tool?  Ideally, I want to capture sub-interfaces and also our WAN interface (multilink and/or serial interfaces). 

      interface Multilink1
      ip flow egress

      ip flow-export source Multilink 1
      ip flow-export version 9 (have tried ver 5 as well)
      ip flow-export destination x.x.x.x 2055

       In the network analsysis site

      NetFlow Receiver Service [server] is receiving a NetFlow data stream from an unmanaged interface on 172.x.x.x. The NetFlow data stream will be discarded. Please use the Orion System Manager to add Interface #14 in order to process this NetFlow data stream.

       
      What does it mean by Interface #14? We only have 4 interfaces on the router.  All interfaces are setup in Orion. 
        • Re: Configure Cisco Router for Netflow
          mark wiggans

          Use version 5 - then add all the interfaces on the router to Orion and then add them all to NetFlow.

          The ones sending data (the netflow packets tagged with the interface id) will show up on the website with a "Time  data received" timestamp. You can then delete the interfaces you do not need.

          Those will say "Never".

          Interfaces are assigned by Orion. Look at the interface details in the system manager to find interface 14. 

           

          also try this for catalyst http://www.solarwinds.com/support/Netflow/docs/OrionNetFlowSwitches.pdf

          Hope that helps... 

          • Re: Configure Cisco Router for Netflow

             I have ALL interfaces added in Orion and Netflow but still nothing shows up.  I see "never" for all interfaces and if I click on any of the intefaces it shows nothing.  I can see my router sending the netflow traffic. 

             What about that beta that was suppose to configure the router for you? This should not be this difficult to monitor my traffic.
             

            • Re: Configure Cisco Router for Netflow
              joesim123

              Here's the perfect small config...


              ip flow-cache timeout active 1
              ip flow-export source Loopback0
              ip flow-export version 5
              ip flow-export destination 10.245.8.36 9995


              Then on your interfaces...I'll use two examples:


              interface FastEthernet0/0
               ip route-cache flow
              !
              !
              interface Serial0/0/0
               ip route-cache flow


              Notes: In the "ip flow-export source Loopback0" the source interface needs to be in Solarwinds Orion somewhere...either as the node IP or being monitored by Orion.  Secondly, in your example, you changed the destination port to 2055.  The standard default is 9995 and Orion Netflow app its set to listen on 9995.

                • Re: Configure Cisco Router for Netflow
                  Eric E

                  I'm trying out the evaluation and I'm having trouble setting Netflow up on the routers.

                   Router - Cisco 1711
                   

                   


                  ip flow-cache timeout active 1
                  ip flow-export source FastEthernet 0
                  ip flow-export version 5
                  ip flow-export destination 10.1.3.45 9995


                  Should I be setting up " ip route-cache flow" on each interface?

                  FastEthernet 0 - To the Internet
                  FastEthernet 1 - To computer
                  FastEthernet 2 - To computer
                  FastEthernet 3 - To computer
                  FastEthernet 4 - To computer
                  Tunnel 11 - VPN tunnel to home office
                   

                  • Re: Configure Cisco Router for Netflow

                    1)If you configure Fastether0/0 with the ip route-cache command will it include all sub-interfaces? I tried adding that command to a sub-interface and its not an option. 

                    (config)#int fas0/0.34
                    (config-subif)#ip route-cache ?
                      same-interface  Enable fast-switching on the same interface
                      <cr>

                    2)Do you need to add the ingress/egress command on each interface or just the loopback?  What is the difference between ingress/egress?
                    Ex.)    LAN ----- > ROUTER ------- WAN
                    What happens when ingress is configured on the router?  Does it capture traffic coming from the WAN or traffic from the LAN?

                    3) The port that was configured when I installed the app was 2055.  No biggie as long as they set on both sides
                     

                      • Re: Configure Cisco Router for Netflow
                        joesim123

                        Make sure your using the command "ip route-cache flow"


                        For sub-interfaces, simply add the command to the primary interface....not the subs.  The subs won't take it as you know.  Adding it to the primary interface enables all the sub interfaces for NetFlow.


                        In the Orion NetFlow setup area, make sure you add the primary and/or subs to netflow in Orion.....depending on what your trying to get.


                        No need to use the ingress/egress commands if your using the 'ip route-cache flow' statement.  They are just alternative commands.


                        The rule of thumb for using Netflow is this:  On a L3 device, you should add NetFlow to EVERY L3 interface on the device to make sure you capture all possible flows.


                        If you have a router with 5 interfaces, add 'ip route-cache flow' to all five interfaces.  If you have a L3 switch, like a 6500, add NetFlow (ip route-cache flow) to every L3 interface on the switch.


                          • Re: Configure Cisco Router for Netflow

                             I'm still having issues getting the sub-interfaces to report (the WAN and second Gig interface work (no subs on this interface).  Here is an example config I am using.

                            The subinteface is setup in Orion and Neflow.  Any thoughts?

                            interface GigabitEthernet0/0
                             no ip address
                             ip route-cache flow
                             no keepalive
                            !
                            interface GigabitEthernet0/0.3
                             encapsulation dot1Q 3
                             ip address 172.x.x.2 255.255.255.0
                             no ip redirects
                             standby 3 ip 172.x.x.1
                             standby 3 priority 110
                             standby 3 preempt

                              • Re: Configure Cisco Router for Netflow
                                joesim123

                                Well, I have two suggestions and a question:


                                1.  Do a SHOW IP CACHE FLOW command and look at the top of the output.  Do you see flows for the sub-interface in question?  You may need to do this command a few times and study the output.  If you do not see any flows for your sub-interface, Orion is not the problem.


                                2.  Make sure your interface GigabitEthernet0/0 is being monitored in Solarwinds...at least for traffic.  Also, do you have NetFlow setup on ALL the L3 interfaces on this device?


                                3.  What is the L3 device...a 6500? a 7200?

                                  • Re: Configure Cisco Router for Netflow

                                    1.  Do a SHOW IP CACHE FLOW command and look at the top of the output.  Do you see flows for the sub-interface in question?  You may need to do this command a few times and study the output.  If you do not see any flows for your sub-interface, Orion is not the problem.

                                    I do see the netflows for the subinterfaces.   Here is an example of one.   

                                    SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
                                    Gi0/0.8       172.x.x.37     Gi0/0.205*    172.x.x.7      11 007B 007B     1 

                                    2.  Make sure your interface GigabitEthernet0/0 is being monitored in Solarwinds...at least for traffic.  Also, do you have NetFlow setup on ALL the L3 interfaces on this device?

                                    Gig0/0 is being monitored in Orion and setup in Netflow.  I didn't have netflow setup on all interfaces (just the serial and gig interfaces).  I tried adding all interfaces in Netflow with no luck.

                                    3.  What is the L3 device...a 6500? a 7200?

                                    The device is 28xx or 38xx router.  I haven't gotten to the L3 switches yet.  

                                     


                                      • Re: Configure Cisco Router for Netflow
                                        joesim123

                                        Well, if your seeing flows on the router...that's a good thing.  You know flows are there.  I would also do a SHOW IP ROUTE-CACHE FLOW and make sure its exporting the flows.


                                         Now, make double sure your export port is the same in Orion and the router.  Check this in the ADMIN - Netflow setup area in Orion's web interface.


                                        Next, I would stop and restart the NetFlow service.  Wait 5 min. and check.


                                        I'm assuming your using Orion 8.1 and NetFlow 2.1 ....both fully patched.


                                        If none of that works....sorry....check back with support  :( 


                                        • Re: Configure Cisco Router for Netflow

                                          On my 2800 and 3800 routers these are the commands I use to get them exporting.


                                          Ip flow-export destination xxx.xxx.xxx.xxx 2055


                                          Ip flow-export source loopback 0


                                          Ip flow-export version 5


                                          Interface serial0/0/0.xx


                                           Ip flow ingress


                                           


                                           


                                          Loopback0 is the interface I use to monitor my devices.