[c-nsp] Odd Netflow export behaviour on ASR1k

Andy Davidson andy at nosignal.org
Thu Nov 22 04:10:43 EST 2012 

Hi,

I have a pair of Cisco ASR1001 routers, both running 15.1(3)S2 (UNIVERSALK9_NPE-M).  Both are configured similarly, their role is as BGP edge device on a service provider network.

Netflow exports are configured on both routers, but only working on one.  The relevant, simple configuration is identical on both :

ip flow-cache timeout active 1
interface GigabitEthernet0/0/0.532
 description [Example BGP peer transfer-interface]
 encapsulation dot1Q 532
 ip address 80.x.x.x 255.255.255.252
 ip flow ingress
 ip flow egress
 ip policy route-map POLICY
ip ospf 10 area 0
 ipv6 address 2A01:x:x::x/127
 ipv6 enable
 ipv6 nd ra suppress
 ipv6 ospf 10 area 0
ip flow-export destination 192.168.3.249 9996 vrf Mgmt-intf


The result is :

nbb-rt1#sh ip flow export
Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : 1
    Source(1)       192.168.3.160 (GigabitEthernet0)
    Destination(1)  192.168.3.249 (9996)
  Version 5 flow records
  4287252960 flows exported in 151316818 udp datagrams
  0 flows failed due to lack of export packet


nbb-rt2#sh ip flow export
Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : 1
    Source(1)       192.168.3.170 (GigabitEthernet0)
    Destination(1)  192.168.3.249 (9996)
  Version 5 flow records
  0 flows exported in 0 udp datagrams
  218500995 flows failed due to lack of export packet

The only difference between the two routers is that the nbb-rt2 router (where flow export is failing) has an additional SPA-2XOC3-POS card installed and used (for a BGP transfer net, hence flows are configured on the POS interface.)

I have done some reading into this subject, and it looks like the ASR1001 platform is deliberately crippled to prevent the use of Gi0 (and the Mgmt-int VRF) for the use of exporting flows.  However, I have somehow caused one of the routers to willingly export flows to my netflow box (which we do want to keep on the same subnet as Gi0, hence flows to be exported from the Mgmt-int VRF). 

My questions are :

 - Is it unsafe to have flows exported from Gi0, as with the behaviour on nbb-rt1 from a scaling point of view ?
 - If not, how can I trick the nbb-rt2 router into the same behaviour ?

Thanks for any suggestions,
Andy

More information about the cisco-nsp mailing list