RE: [Cflowd] dst IP only Multicast

From: Pranav Shah (pranav@exchange.napster.com)
Date: Fri Mar 22 2002 - 13:54:13 PST


Hey Marcus..
 
I have removed the flow-export aggregation however, I still see the same
thing. One thing I did notice was that in my flow directory, there are two
flow files being generated and being updated. One is x.x.x.x.flows.[0-9]
(x.x.x.x is the router sending the flows) and the second is the normal
flows.* files.
 
Using flowdumper to see the contents of x.x.x.x.flows.* gives me the src and
the dst IPs correctly. however, doing flowdumper on flows.* directory gives
me all multicast addresses in my destination IP. I have read through all
the Cisco doc. on Netflow but it seems all if properly configured. I cannot
figure it out.
 
Pranav
 

-----Original Message-----
From: Marcus Beaman [mailto:marcus.beaman@state.or.us]
Sent: Thursday, March 21, 2002 3:45 PM
To: Pranav Shah
Subject: RE: [Cflowd] dst IP only Multicast

I'm not sure that you need the "ip flow-aggregation cache as" line, as that
looks like it aggregates only the followin information:
The aggregated NetFlow data export records report the following:

        

* Source and destination BGP autonomous system

        

        

* Number of packets

        

        

* Number of flows summarized by the aggregated record

        

        

* Number of bytes summarized by the aggregated record

        

        

* Output and input interfaces

        

        

* Timestamp when the first packet is switched and timestamp when the
last packet is switched

You might try removing the line (my configs are like that), which will
increase your flow file sizes but gives you all flow information. In
addition, since netflows only tally data on an interfaces input traffic, you
need the "ip route-cache flow" statement on all interested interfaces.
Since I want to see inbound/outbound traffic to the Internet, I put "ip
route-cache flow" on my ISP interface (inbound stats from the Internet =
inbound traffic) and on my network interface (inbound from my network to
internet = outbound traffic). If you still want to aggregate (does is work
with version 5? I know it does with 8), you might tray the "ip
flow-aggregation cache protocol-port" since this includes src/dst IP's (
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
t/120t3/netflow.htm#80372
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/12
0t/120t3/netflow.htm#80372> )
 
Make sure you have the requirements also for aggregating also:
You must take these prerequisties into consideration before configuring the
NetFlow Aggregation feature:

        

* Ensure that the following functionality is configured on your system
before you configure an aggregation cache:

        

        

* IP routing

        

        

        For information on IP routing configuration, refer to the Cisco IOS
Release 12.0 Network Protocols Configurtion Guide, Part 1.

        

* Cisco Express Forwarding (CEF)

        

        

        For information on CEF configuration, refer to the Cisco IOS Release
12.0 Switching Services Configuration Guide.

        

* NetFlow switching

        

        

        For information on NetFlow configuration, refer to the Cisco IOS
Release 12.0 Switching Services Configuration Guide and the

        

* If you intend to use a version 8 aggregation cache, configure a
version 5 main cache.

        

        

* If you need autonomous system information from the aggregation, make
sure to specify the <peer-as | origin-as> options in your export command if
you have not configured an export version.

Good Luck,
 
-Marcus



This archive was generated by hypermail 2.1.4 : Mon Mar 25 2002 - 11:16:01 PST