[c-nsp] netflow only on ingress and HSRP setup
Zorg 421
zorglub421 at gmail.com
Thu Oct 16 04:38:55 EDT 2008
(was: ip flow egress on c76k).Hello c-nsp,
My setup is pretty simple: two routers running BGP and getting full routes,
having some kind of backbone LAN on which are connected
devices who don't run dynamic routing protocol. Hence we run HSRP on the
backbone LAN so the static default of firewalls can always get out to the
internet (in case of B1 or B2 failing).
One border, B2, is c76k. The other is a NPE-G2.
The HSRP primary is on B2.
with netflow beeing available only on ingress, I'm forced to run netflow on
the c76k, B2, on the backbone interface.
A big chunk of this trafic is sent to B1 to go out thru others upstream or
peerings.
On B1 I run "ip flow ingress" and "ip flow egress" on interfaces to the
outside world, upstreams and peers, but not on the backbone.
I get trafic duplication in my netflow app (nfsen) because trafic that go to
the default, HSRP on B2, redirected to B1 and getting out to the
net is counted on backbone interface on B2 and outside interface on B1.
By some kind of "law of kirschoff" I could disable "ip flow egress" on
external interfaces on B1, but would loose some
information like output interface and nexthop for the peerings of B1.
Is there a know workaround to not count this trafic twice?
(I cannot see one on my own).
Regards.
More information about the cisco-nsp
mailing list