Net Flow help
Hi any one with net-flow experience?
The back story is that this rouer was set up to export net flow to the collector 10.1.1.1 using the #IP flow-export destination 10.1.1.1 9999, and #ip flow ingress configured under each of three interfaces. I then decided to test the flow record / flow monitor and flow exporter to a new collector 10.2.2.2 (flexible net-flow), so set up the config as below and assigned the monitor to a single interface.
What I find is happening is that the collector at 10.2.2.2 is seeing the flows from all 3 interfaces, not just GigabitEthernet0/1 that it is assigned to? I assume the problem is to do with using the two formats to configure net-flow, but currently I would like to keep the old one in place till we have fully implemented the new collector with all the filters and alerting from the old one.
Any thoughts on how to tidy it up?
EXISTING CODE
NEW CODE
Interface Config
The back story is that this rouer was set up to export net flow to the collector 10.1.1.1 using the #IP flow-export destination 10.1.1.1 9999, and #ip flow ingress configured under each of three interfaces. I then decided to test the flow record / flow monitor and flow exporter to a new collector 10.2.2.2 (flexible net-flow), so set up the config as below and assigned the monitor to a single interface.
What I find is happening is that the collector at 10.2.2.2 is seeing the flows from all 3 interfaces, not just GigabitEthernet0/1 that it is assigned to? I assume the problem is to do with using the two formats to configure net-flow, but currently I would like to keep the old one in place till we have fully implemented the new collector with all the filters and alerting from the old one.
Any thoughts on how to tidy it up?
EXISTING CODE
ip flow-export version 5 ip flow-export destination 10.1.1.1 9999 ip flow-cache timeout inactive 10 ip flow-cache timeout active 5
NEW CODE
flow record Prime_janet match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect ipv4 dscp collect interface output collect flow direction collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name ! ! flow exporter Prime_1 destination 10.2.2.2 template data timeout 60 option interface-table option application-table ! ! flow monitor Prime_janet record Prime_janet exporter Prime_1 cache timeout active 60
Interface Config
interface GigabitEthernet0/0 ip flow ingress interface GigabitEthernet0/1 ip flow monitor Prime_janet input ip flow ingress interface GigabitEthernet0/2.1000 ip flow ingress
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
Comments
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
I guess no one then
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
cjaco0667
Registered Users Posts: 2 ■■■□□□□□□□
Have you tried to add match interface output and collect interface input within the flow record?flow record Prime_janet match interface output collect interface input
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
I will try that but could you elaborate on this?
why would his stop the collection on the other interfaces?- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
xXErebuS
Member Posts: 230
Have you tried removing the ip flow ingress? Or do you still want it monitored just not sent to a collector?
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
i want the ip flow ingress to sill sent to the original collector, and the new flow monitor flows sent to the new collector. So need them both working.
The old collector is our current solution, I would like to set up the new collector completely before I kill of the old one. I could set up a new flow monitor for the existing flows, but really I don't want to touch that config if i can help it.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
xXErebuS
Member Posts: 230
Everything I have found points to it being the ip flow ingress. To have both in tandum maybe setup like this then remove the ingress command.
http://docwiki.cisco.com/wiki/Migrating_from_Traditional_to_Flexible_NetFlow
See bottom
