[c-nsp] Netflow Question

Andre Beck cisco-nsp at ibh.net
Wed May 7 10:28:25 EDT 2008


Hi,

[I rearranged the order of lines in the following for historic reasons]

On Fri, May 02, 2008 at 11:38:00AM -0700, raa at opusnet.com wrote:
> 
> Can anyone tell me the difference between the interface command:
> 
> Router(config-if)# ip route-cache flow

When NetFlow Data Export was introduced, it was a "byproduct" of a new
route cache implementation called "flow". The route cache would operate on
individual flows and would allow to inspect that cache as well as to
export information on entries that just time out from the cache.

As a route cache implementation, it had a number of implict attributes
that were not optimal in the wider field of accounting:

* It would be implicitely operating on ingress packets only. This
  required you to design your network properly in order to avoid
  accounting for a flow more than exactly once. It would also not
  allow you schemes like "account only what goes to or comes from
  my BGP upstreams".
* Several interfaces would inherit their setting of route-cache flow
  from a parent, e.g. in the case of Ethernet subinterfaces. This would
  require even more design workarounds including the addition of hardware.
  You could not mix accounted and not accounted interfaces on a single
  interface in a router-on-a-stick setup.

> And 
> 
> Router(config-if)# ip flow ingress

This replaces "ip route-cache flow" on parent interfaces and it is
entirely new that you can switch it on and off individually on every
subinterface. When you upgrade IOS to a version that has it, an
"ip route-cache flow" statement on a parent will be converted to
an "ip flow ingress" on the parent as well as *every* subinterface
below that parent. From then on, you can switch it individually, but
of course setting "ip route-cache flow" will again fan out an "ingress"
to all subinterfaces. Thus, avoid using the old command as soon as you
have migrated, and never look back.

Please note that using NetFlow as a route cache is history, it is now
a pure accounting and monitoring tool.

BTW, there's a minor glitch in the conversion that can lead to an
interface losing route caching (which you normally want to have set
to CEF these days) altogether. So after an IOS upgrade that does this
conversion, check your interfaces e.g. using "sh cef interface brief".

> Router(config-if)# ip flow egress

That's finally the counterpart to "ip flow ingress" that allows you to
track interface egress traffic. That was simply impossible with the old
implementation (beeing implicitely ingress-only). Today you should be
able to set ingress+egress flow tracking on your upstreams to get just
the external traffic. But you could also stay with the old way of just
tracking ingress on upstreams + downstreams (but never within the network
itself to prevent multiple records).
 
> Thanks.  Second part to this question is anyone recommend a Netflow
> analyzer?  Either application or appliance (price is important.)  I'd like
> to get one where I can assign clients access where they only have access to
> the ports I assign them.  I'm currently using the free version of
> Scrutinizer.

There's a plethora of free (as in Free and Open Source Software) solutions
available. Depends on the exact needs you have. I'm using it just for
accounting, not as an analyzer, so I can't name products here. SWITCH
has a nice list, maybe for a starter see:

 http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

HTH,
Andre.
-- 
   Real men don't make backups of their mail. They just send it out
    on the Internet and let the secret services do the hard work.

-> Andre Beck    +++ ABP-RIPE +++      IBH IT-Service GmbH, Dresden <-


More information about the cisco-nsp mailing list