6 Replies Latest reply on Aug 13, 2015 7:55 PM by superfly99

    Netflow configuration on multiple interfaces and sub-interfaces

    kristian_tomol13

      Hi,

       

      I configured netflow on cisco router 2921 and here is my config..

      ip flow-export source Gigabitethernet 0/1

      ip flow-export source Gigabitethernet 0/2

      ip flow-export source Gigabitethernet 0/0

      ip flow-export version 5

      ip flow-export destination 131.x.x.x 2055

       

       

      I also configure this on each interface

      Interface Gigabitethernet 0/0

      ip flow ingress

      ip flow egress

      ip route-cache flow

       

      Interface Gigabitethernet 0/1

      ip route-cache flow

      Interface Gigabitethernet 0/1.55

      ip flow ingress

      ip flow egress

      ip route-cache

      Interface Gigabitethernet 0/1.56

      ip flow ingress

      ip flow egress

      ip route-cache

       

      Interface Gigabitethernet 0/2

      ip flow ingress

      ip flow egress

      ip route-cache flow

       

       

      when I performed show run on the router this is the configuration that appeared:

      ip flow-export source Gigabitethernet 0/0

      ip flow-export version 5

      ip flow-export destination 131.x.x.x 2055

       

      I noticed that the last source (Gigabitethernet0/0) that I typed was the source that was registered on the router

      What could be the effect of this configuration?

      Gigabitethernet0/1 and Gigabitethernet0/2 are on the public side of the router,I want to monitor the traffic that is going in and out of these interface because I have vpn tunnels configured on this interfaces (Gigabitethernet 0/1.55 and Gigabitethernet0/1.56) 

      Did I enter the right configuration for my router?

      By the way my Solarwinds server resides on the Gigabitethernet0/0 network.

       

      Please help..

      Thank you very much!

        • Re: Netflow configuration on multiple interfaces and sub-interfaces
          nrms

          As I understand it, the source sets the IP address of where the flow data is coming from, and this address must match the address being used on the flow course node in SolarWinds.

          The actual data that it will send is an agregate of the interfaces where you have put the 'ip flow [in|e]gress' lines. The 'ip flow-export source' line has nothing to do with this ports' data is actually reported.

          (This is just my best understanding based on some issues I've also had lately and from my research in reolving those. Someone else may have a better understanding and correct something I've said!)

          • Re: Netflow configuration on multiple interfaces and sub-interfaces
            zzoldi

            I had to add the flow monitor command under the subinterface:

             

            interface GigabitEthernet0/0/0.xxx

            encapsulation dot1Q xxx

            ip flow monitor NetFlow-Monitor input

            ip flow monitor NetFlow-Monitor output

             

            Solarwinds started to receive Netflow afterwards.  (i assumed you followed Solarwinds documentation on how to send netflow to it)

             

            flow record netflow-ipv4

            match ipv4 protocol

            match ipv4 source address

            match ipv4 destination address

            match transport source-port

            match transport destination-port

            match interface input

            collect interface output

            collect counter bytes

            collect counter packets

            !

            !

            flow exporter NetFlow-to-Orion

            destination 10.1.2.3

            source Loopback0

            transport udp 2055

            !

            !

            flow monitor NetFlow-Monitor

            description Netflow captures

            exporter NetFlow-to-Orion

            cache timeout inactive 10

            record netflow-ipv4

            • Re: Netflow configuration on multiple interfaces and sub-interfaces
              pierrejn

              I'm taking your config and re-doing it as you have a lot of redundant information there.  Only use one source, most routers and switches will not allow you to have more than one.  So pick the one that Orion is using to monitor the device.  This configuration should work for you just fine. 

               

              I configured netflow on cisco router 2921 and here is my config..

              ip flow-export source {source-interface that orion is talking to} <-- This command says who (by IP Address) I am.

              ip flow-export version 5

              ip flow-export destination 131.x.x.x 2055

              ip flow-cache timeout active 1 <-- (this is in min) This is telling the router/switch to send timeout the connection every 60 seconds (default is 30 minutes) if you allow the default to be used you will see a spike every 30 minutes because it groups all connections together even the very long ones and creates a big dump of data

              ip flow-cache timeout inactive 15 <-- 15 is already the default in seconds but it doesn't hurt to make sure

               

              snmp-server ifindex persist <-- This command maintains the interface index from when the system came up.  If this command is not set you will have a different ifindex for the interfaces when ever the router/switch is rebooted and it will cause you headaches because you flows moved.  We like to keep things consistent

               

              I also configure this on each interface

              Interface Gigabitethernet 0/0

              ip flow ingress <-- command says to track flows on RX

              ip flow egress <-- command says to track flows on TX

               

              Interface Gigabitethernet 0/1

              ip route-cache flow <-- this command is really not needed unless you have actual traffic going over the g0/1 and not the sub-interfaces using the whole bandwidth.

              Interface Gigabitethernet 0/1.55

              ip flow ingress

              ip flow egress

              Interface Gigabitethernet 0/1.56

              ip flow ingress

              ip flow egress

              Interface Gigabitethernet 0/2

              ip flow ingress

              ip flow egress