4 Replies Latest reply on Feb 11, 2010 10:11 AM by kweise

    Manually manage NetFlow sources

    pvaldes

      Hi,

      I have a Cisco 3800 with 2x GigEthernet interface (gigE0/0 for WAN and gigE0/1 for LAN) and 40x sub-interfaces on GigEthernet0/1. I'm polling the router for NPM on all interfaces/sub-interface and NTA (monitoring only GigEthernet0/1 using "ip route-cache flow" command).

      Under NTA setting, Manually manage NetFlow sources I notice only 10x sub-interfaces are beeing monitored for Netflow. Problem for me as I have clients on all 40x sub-interface using the WAN and I would like to monitor all 40x clients traffic via NTA.

      My specs are on my signature.

      Please help.

      Thanks

        • Re: Manually manage NetFlow sources
          Andy McBride

          Hi Peter,

          Can you do a show ip flow inter command. I don't have a machine here with subinterfaces but this might show us something. Also can you take a PCAP from the NTA server? It will show what interfaces are being exported.

          Andy

            • Re: Manually manage NetFlow sources
              pvaldes

              Hi Andy,

              When I execute a "show ip flow interface" the result shows the LAN interface where the sub-interfaces are created from:

              FastEthernet0/1
                ip route-cache flow

              If I apply ip route-cache flow or ip flow ingress/ip flow egress, that covers all sub-interfaces associated with the physical interface.

              What's a PCAP?

              BTW, Netflow settings is set to "Enable automatic addition of NetFlow sources".

              Thanks

                • Re: Manually manage NetFlow sources
                  Andy McBride

                  Sorry for the acronym - PCAP is a packet capture. If you load Wireshark and capture packets on the NTA server we can see what the sources are sending. That will tell us if the issue is with the source exporter or NTA. Wireshark is freeware.

                  • Re: Manually manage NetFlow sources
                    kweise

                    Peter,

                    This might vary based on IOS version but on my 2800s and 3800s, in order to receive Netflow data from subinterfaces, I've had to add the ip route-cache flow or ip flow ingress/egress statements to the individual subinterfaces I want flow data from.  Just something you might try to see if it helps in your environment.