Re: NetFlow trick

From: Kristof Ulrix (kristof@uk-systems.com)
Date: Fri May 14 2004 - 05:09:29 GMT-3

• Next message: Carlos G Mendioroz: "Re: callback or callin - please help"
• Previous message: Arifur Rahman: "callback or callin - please help"
• Maybe in reply to: Kristof Ulrix: "NetFlow trick"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dan,

Netflow is only enabled on ingress traffic.
But you will see flows in both directions.

Have a look at this link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fswtch_c/swprt2/xcfnfc.htm

It says:
What is NetFlow?
NetFlow enables you to collect traffic flow statistics on your routing
devices. NetFlow is based on identifying packet flows for ingress IP
packets.

Kristof.

> Are u sure about netfolw and one way only?
> I use netflow on ipsec tunnels and i get both incomming and outgoing
> packet descriptions
>
> On Thu, 13 May 2004 09:21:55 -0400, Kristof Ulrix <kristof@uk-
systems.com>
> wrote:
>
> > Hi group,
> >
> > As you all know netflow only measures ingress traffic.
> > I would like to measure all traffic with a netflow collector send
> > to a device (PC1) connected via S1 (2950) from a router R1 (7204).
> > The traffic enters R1 via several interfaces.
> > On R1 policing is enabled on the outgoing interface.
> > => Sum of all incomming traffic is not equal to all traffic for PC1.
> >
> > +----+ +----+ +--------+
> > & & & +----+ &
> > & PC1+---+ & & +-------< PC2
> > +----+ & & & &
> > & & & +-------< PC3
> > & & & R1 &
> > & S1 & +-----+--+
> > +----+ &
> > &
> > ^
> > PC4
> >
> > I tought of a trick to do this measurement:
> >
> > - Use an extra connection between S1 and R1.
> > - Configure a monitor session on S1 to replicate all traffic to PC1
> > on this extra connection.
> > - Extra interface on R1
> > * put in vrf Meas
> > * configure same IP-address as PC1
> > * configure same mac-address as PC1
> > These static arp-entries are needed because there is only 1
> > arp-process for the whole router.
> > - Create a static arp entry in the normal routing table on R1 for
PC1
> > - Create a static arp entry in PC1 for original interface on R1
> >
> > This setup works in my lab, I only have 1 problem:
> > If I do a continuous ping stream from a PC2 behind R1 to PC1,
> > every about 50 s the ping replies stop for about 3 or 4 s
> > Sometimes it takes 200 s before the ping stops.
> >
> > Does anybody have a sugestion why this happens?
> >
> >
> > TIA
> >
> > Kristof.
> >
> >

• Next message: Carlos G Mendioroz: "Re: callback or callin - please help"
• Previous message: Arifur Rahman: "callback or callin - please help"
• Maybe in reply to: Kristof Ulrix: "NetFlow trick"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:12 GMT-3