1 Reply Latest reply on Feb 17, 2012 6:11 PM by mavturner

    Router 1841 IOS 12.4 and ingress flow

    riccardo

      Hi guys,

      Just using NTA to monitor internet bandwidth on multiple sites. I have no problems where I am using ASA firewalls or 2900 or 2800 routers, but where I am using a 1841 as internet gateway, I can only see the EGRESS traffic from the public interface, even if the netflow summary shows me correctly the traffic in and out speed on the interface.

      here is some of the configuration and some outputs, any idea?

       

      #sho ver
      Cisco IOS Software, 1841 Software (C1841-IPBASEK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)

      #sho run int fa 0/0
      interface FastEthernet0/0
       ip address x.x.x.x 255.255.255.240
       ip access-group internet-filter in
       no ip redirects
       no ip unreachables
       no ip proxy-arp
       ip flow ingress
       ip nat outside
       ip virtual-reassembly
       no ip route-cache cef
       duplex auto
       speed auto
       no cdp enable
      end

      ip flow ingress is also applied to all internal interfaces

      ip flow-export source FastEthernet0/0/0.20
      ip flow-export version 9
      ip flow-export destination 192.168.x.x 2055

       

      #sho ip flow export
      Flow export v9 is enabled for main cache
        Export source and destination details :
        VRF ID : Default
          Source(1)       192.168.x.x (FastEthernet0/0/0.20)
          Destination(1)  192.168.x.x (2055)
        Version 9 flow records
        1197764 flows exported in 54922 udp datagrams
        0 flows failed due to lack of export packet
        0 export packets were sent up to process level
        1 export packets were dropped due to no fib
        0 export packets were dropped due to adjacency issues
        0 export packets were dropped due to fragmentation failures
        0 export packets were dropped due to encapsulation fixup failures

       

       

      #sho ip cache flow
      IP packet size distribution (17670009 total packets):
         1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
         .000 .420 .129 .016 .023 .008 .008 .017 .008 .011 .013 .020 .011 .011 .009

          512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
         .004 .003 .005 .154 .121 .000 .000 .000 .000 .000 .000

      IP Flow Switching Cache, 278544 bytes
        83 active, 4013 inactive, 1190725 added
        26472249 ager polls, 0 flow alloc failures
        Active flows timeout in 30 minutes
        Inactive flows timeout in 15 seconds
      IP Sub Flow Cache, 34056 bytes
        83 active, 941 inactive, 1190723 added, 1190723 added to flow
        0 alloc failures, 0 force free
        1 chunk, 2 chunks added
        last clearing of statistics never
      Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
      --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
      TCP-WWW         118501      0.1        27   140      5.4       3.4       8.7
      TCP-SMTP            33      0.0       986   976      0.0       9.9       1.5
      TCP-BGP          19138      0.0         2    49      0.0       8.0      15.4
      TCP-other       260769      0.4        21   210      9.4       8.4      10.0
      UDP-DNS         149542      0.2         1    69      0.2       0.0      15.4
      UDP-NTP          80162      0.1         1    76      0.1       0.0      15.4
      UDP-other       481839      0.8        17   578     13.9       3.2      15.4
      ICMP             73582      0.1         1    85      0.2       1.7      15.5
      GRE               7076      0.0         3   143      0.0       9.4      15.4
      Total:         1190642      2.0        14   369     29.7       3.8      13.6

      -------------removed the ip to ip flow part--------------------

       

       

      Thank you,

       

      R

        • Re: Router 1841 IOS 12.4 and ingress flow
          mavturner

          riccardo, it might be best to go ahead and open a support case (reference this thread when you do). 

          Here is some comments from one of our support guys who I asked to look at your post:

           

          With the information provided the only thing I  see that might be causing the issue is the Access-list applied “ ip access-group internet-filter in” or other access-list.

          The Egress traffic that is being collected is collected from the other interfaces.

          Since they are performing NAT on the public interface I would recommend having both Ingress and Egress on the other interfaces.  This should capture Ingress on the public interface when going in the Egress direction on the internal interfaces