5 Replies Latest reply on Oct 14, 2010 5:47 PM by jswan

    Netflow configuration on a Cisco 1800 v 12.4

    delphi

      Hi, I am currently configuring NTA and cisco routers. I am successful  by getting the router to export data to my Orion server, but it seems I  am missing flows from the Tunnel interfaces.

      The Router has one external interface fa0/0 and two tunnel interfaces(esp gre) which I want to monitor. I have set up Loopback0 to be the netflow source.  Does anyone know what the best practise is for the configuration when  you have one physical interface and two logical interfaces you want to  monitor? This is a remote site reporting to a central npm installation.

      Thanks alot.

        • Re: Netflow configuration on a Cisco 1800 v 12.4
          jswan

          You can do it however you want--put your "ip flow ingress|egress" commands on the tunnel interaces if you want to see NetFlow stats on the traffic inside the tunnels; put them on the physical interface if you want to see the traffic categorized as tunnel traffic (i.e., it will show up as IP protocol 47). You could even do both if you want.

            • Re: Netflow configuration on a Cisco 1800 v 12.4
              delphi

              On our current config we are exporting data from both the WAN interface and the tunnel interfaces with the commands ip flow ingress|egress, but it seems NTA has problems displaying the data. It seems fine from the physical interface, but not from the tunnel interface. Are these the only commands available for the interface configuration? I am also running version 9 of netflow. Is it so that you do not need to use route-cache flow any more at all?

               

              Thank you for your answer.

                • Re: Netflow configuration on a Cisco 1800 v 12.4
                  jswan

                  I haven't tried it with NetFlow v9. With v5 I have a bunch of tunnel interfaces with just "ip flow ingress|egress" on them, and it seems to work fine (the tunnel interfaces do have to be monitored by NPM, of course). I assume you're using the default GRE encapsulation on your tunnels and not something weird like IPinIP.

                  I guess I'd open a support ticket if the physical interface is working and the tunnel interfaces aren't.

                    • Re: Netflow configuration on a Cisco 1800 v 12.4
                      delphi

                      Thanks for the reply, I can actually see some data. For instance if I ping the external router on its private IP adress and the packets go through the tunnel I can see the icmp packets. However Orion shows that there is up to 4mbit utilization on the tunnel, but I cannot see the incoming traffic, though I sometimes see eigrp and udp traffic. So here's a question and I have tried to make sense of it, but what is the real difference between ip route-cache flow and ip flow ingress | egress? There is alot of different threads about it, but is  ip route-cache flow required on any interface at all? If so, which interface should it be enabled on? All interfaces I am currently monitoring with ingress | egress or just the WAN port? I read that ip route-cache flow will enable flows on all subsequent sub-interfaces. Does this mean the LAN interface fa0/1 or the logical interfaces aswell? It seems strange if the  WAN and tunnel interfaces already are configured with ingress | egress. Is the use of the snmp-server ifindex persist command a best practise and in what cases?

                       

                      Cheers!


                        • Re: Netflow configuration on a Cisco 1800 v 12.4
                          jswan

                          As far as I know, "ip route-cache flow" is just the deprecated version of "ip flow ingress". I don't think there's any reason to use it on new platforms.

                          I personally haven't had a problem with ifIndex IDs changing under me, but I can't see how enabling that command would cause a problem.

                          Regarding seeing the traffic in the tunnel: can you see the traffic via the CLI using "show ip cache flow"? If so, then you're probably looking at a NTA config problem. If not, you're probably looking at an IOS config problem.