8 Replies Latest reply on Sep 14, 2007 3:10 PM by rlawsha

    Using NetFlow on  a VLAN

    rlawsha

      We have a Cisco 2821 router with two gig Ethernet ports. One of these ports connects to our LAN and the other port connects to the internet. NetFlow monitors both those ports and it works fine.


      We added a 4 port 100 meg Ethernet card into that router. Cisco treats those ports as layer 2 devices so to set an IP address on those ports you have to create a VLAN. I can't seem to get NetFlow to monitor either the Ethernet interface or the VLAN. Is this possible?

        • Re: Using NetFlow on  a VLAN
          Josh Stephens

          rlawsha,

          Yes, usually this is possible. NetFlow reports on traffic traversing between different layer 3 connections. So, I would expect that if you're routing from either of the two other interfaces to/from the VLAN, you should be seeing NetFlow data.

          Thanks,

          Josh Stephens
          SolarWinds

            • Re: Using NetFlow on  a VLAN
              rlawsha

              I can't figure out why I get no data on my VLAN then. On the VLAN interface I have the command IP ROUTE-CACHE FLOW just like I do on the other interfaces. I also have the following in my main config area:


              ip flow-export source GigabitEthernet0/0


              ip flow-export version 5


              ip flow-export destination 10.10.245.1 2055


              ip flow-top-talkers


               top 20


               sort-by bytes


               


              If I do a SHO IP FLOW EXPORT I see that all 3 of my interfaces (gig0, gig1, vlan1) sho ip route-cache flow on them. But when I select the interface in the Orion web site netflow area it says ther is no data to view.

                • Re: Using NetFlow on  a VLAN
                  Josh Stephens

                  rlawsha,
                  I'm a bit confused. You mention that you're trying to receive netflow records for vlan1 but the config snippet above references a gig-e port. Have you configured the VLAN interface for netflow export?

                  Next step would be to use a protocol analyzer and take a packet capture of the data leaving the router to see if it's exporting these records.

                  Thanks,
                  Josh
                   

                    • Re: Using NetFlow on  a VLAN
                      rlawsha

                      As far as I can tell tell the command: ip flow-export source interface is a global command and can only reference one interface.

                      On each interface you want to mionitor you put the command: ip route-cache flow.

                        • Re: Using NetFlow on  a VLAN
                          Josh Stephens

                          rwlasha,
                          Sorry about that. I misread the post. Yes, you are of course correct - this command is global.

                          If you have entered the ip route-cache flow command for the VLAN interface, then I have two thoughts. First, are you certain that traffic is routing in/out of that interface?

                          Secondly, I'm wondering if the routing engine in this model of router process traffic from internal interface differently and therefore may not generate NetFlow records..

                          One last thing. I've seen cases where adding an interface to a router and then trying to add the interface for Netflow doesn't work until you completely remove all of the netflow config and then start over. This has happened to me many times in the lab...

                          Thanks,
                          Josh
                           

                            • Re: Using NetFlow on  a VLAN
                              rlawsha

                              I am certain netflow traffic is flowing out of that interface. I can look at it from the router command prompt. I had read in another post ( Re: Prolem with 6509 VLAN Interface ) that I may need to wait for version 9 of netflow to be supported by Orion before I can see it or I may have to enable mls. That is, if my 2821 router has the same problem as that 6509 switch.


                               


                              Can you give me some pointers on how to totally remove the netflow config and start over? That seems like it wouldn't be too hard :)


                    • Re: Using NetFlow on  a VLAN

                       It's important to remember that NTA joins up the NetFlow traffic with the Interfaces managed by Orion via the SNMP Interface index.  If you're not managing the interface(s) that appear in the NetFlow data, NTA won't process it.  Some Catalyst devices (and maybe some other Cisco devices) have certain config options that will export NetFlow data with the interface indexes set to zero, which prevents NTA from analyzing that traffic.

                       Don't know if this is related to your particular issue, but it seemed like it might be pertinent.
                       

                        • Re: Using NetFlow on  a VLAN
                          rlawsha

                          I got it working!  I ended up going into NPM and deleting the node altogether. I then re-added the node along with the right interfaces all in one fell swoop. I updated my map, so far so good. Then I went into the web interface and the netflow config....  It was confused, timed out and then went all wacky on me. All kinds of interfaces from all of my routers showed up. I probably should have deleted the netflow config before I deleted and then re-added the node.


                          I had to reboot the server and then go into SQL manager and edit the netflow sources table. I removed all the extra entries and saved the table. Then I went back into the web interface and into the netflow admin. Only the three interfaces I wanted were there, including the VLAN ! Yeah!. And all three interfaces were collecting netflow data.


                           So all is fine now. I think my error was adding interfaces one at a time for that node and not keeping netflow in sync with my changes. Best bet seems to be delete the netflow config, delelete the node, re-add the node with the right interfaces, configure netflow....