Net Flow help
Hi any one with net-flow experience?
The back story is that this rouer was set up to export net flow to the collector 10.1.1.1 using the #IP flow-export destination 10.1.1.1 9999, and #ip flow ingress configured under each of three interfaces. I then decided to test the flow record / flow monitor and flow exporter to a new collector 10.2.2.2 (flexible net-flow), so set up the config as below and assigned the monitor to a single interface.
What I find is happening is that the collector at 10.2.2.2 is seeing the flows from all 3 interfaces, not just GigabitEthernet0/1 that it is assigned to? I assume the problem is to do with using the two formats to configure net-flow, but currently I would like to keep the old one in place till we have fully implemented the new collector with all the filters and alerting from the old one.
Any thoughts on how to tidy it up?
EXISTING CODE
NEW CODE
Interface Config
The back story is that this rouer was set up to export net flow to the collector 10.1.1.1 using the #IP flow-export destination 10.1.1.1 9999, and #ip flow ingress configured under each of three interfaces. I then decided to test the flow record / flow monitor and flow exporter to a new collector 10.2.2.2 (flexible net-flow), so set up the config as below and assigned the monitor to a single interface.
What I find is happening is that the collector at 10.2.2.2 is seeing the flows from all 3 interfaces, not just GigabitEthernet0/1 that it is assigned to? I assume the problem is to do with using the two formats to configure net-flow, but currently I would like to keep the old one in place till we have fully implemented the new collector with all the filters and alerting from the old one.
Any thoughts on how to tidy it up?
EXISTING CODE
ip flow-export version 5
ip flow-export destination 10.1.1.1 9999
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
NEW CODE
flow record Prime_janet
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect ipv4 dscp
collect interface output
collect flow direction
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
!
!
flow exporter Prime_1
destination 10.2.2.2
template data timeout 60
option interface-table
option application-table
!
!
flow monitor Prime_janet
record Prime_janet
exporter Prime_1
cache timeout active 60
Interface Config
interface GigabitEthernet0/0
ip flow ingress
interface GigabitEthernet0/1
ip flow monitor Prime_janet input
ip flow ingress
interface GigabitEthernet0/2.1000
ip flow ingress
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Comments
why would his stop the collection on the other interfaces?
The old collector is our current solution, I would like to set up the new collector completely before I kill of the old one. I could set up a new flow monitor for the existing flows, but really I don't want to touch that config if i can help it.
http://docwiki.cisco.com/wiki/Migrating_from_Traditional_to_Flexible_NetFlow
See bottom