[c-nsp] Netflow - GSR engine 5
Adam Powers
apowers at lancope.com
Thu Feb 25 21:04:15 EST 2010
Also keep in mind that the packet did actually ingress on some interface on
the router somewhere prior to it being dropped by the ACL. The NetFlow
record must be sent to the collector in order for the ingress interface
traffic to be reported correctly in the collector.
In other words, if the router doesn¹t export the ACL-dropped flows your
collector will under report traffic stats.
On 2/25/10 4:37 PM, "Gert Doering" <gert at greenie.muc.de> wrote:
> Hi,
>
> On Thu, Feb 25, 2010 at 11:43:37AM -0500, Drew Weaver wrote:
>> > Should ingress packets dropped by ACLs still hit Netflow on the GSR with E5
>> linecards?
>> >
>> > Gi2/0/2 10.1.123.32 Null 10.1.123.3 11 A29F 0035 1
>
> I'm not sure whether this is documented anywhere, but this is expected,
> and it is actually recommended to use "Netflow dest if=null" instead
> of "ACL logging" to see which packets your network is refusing.
>
>> > So basically a packet is being sent in from the Internet sourced
>> > from one of my own IP addresses, and I assume it is being dropped
>> > because of the ACL on our Internet connections that says we don't
>> > want traffic coming in from ourselves, but why is it showing up in
>> > the netflow exports?
>
> So that you can keep track of what you're dropping. You might want
> to know about it :-)
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list