[c-nsp] flexible netflow - ASR1K / vrf

CiscoNSP List cisconsp_list at hotmail.com
Wed Jan 7 17:39:03 EST 2015 

Thanks for all the replies - I added a BDI int(And created/added it to a new test vrf) to one of the ASR's, and connected that to an ME3600(No IP's, just service ints), then connected the ME to a 4948 (trunk port), and created a vlan Int on the 4948 in the same subnet that is configured on the BDI Interface)...bit of an elaborate test, but I wanted to do some other testing with 4948 connected anyway!)

I applied "ip flow monitor mm_1 input" to both the BDI Int, and also the x-connect between the 2 ASR1K's, and could successfully ping from 4948->ASR1(BDI Int IP), and also to ASR2 with loop int in the same new vrf.

ping tests from 4948->ASR2 Loop, Im now seeing the VRF traffic, but it looks to only record it in one direction - i.e. SRC address is always the 4948's vlan IP, regardless of which direction I ping....the "bytes" recorded are correct, but my experience with netflow is the "old" style...(i.e. v5, then enabling ip flow ingress on the Ints you want to capture traffic flows).

With the "old" netflow, If I did a similar test to the above(i.e. ping from ASR2->4948), Id see netflow traffic with a source address of ASR2 loop / dst of 4948 vlan IP, and also the reverse (src of 4948 vlan IP, dst of ASR2 loop)....which is correct, as the 4948 would be responding back to the ASR. 
Hotmail will undoubtedly screw up the formatting, but this is what Im now seeing....so it's "working", Im just not seeing the reverse traffic they way the old netflow used to display it.... 

show flow monitor mm_1 cache format table

IP VRF ID INPUT                IPV4 SRC ADDR    IPV4 DST ADDR    TRNS SRC PORT  TRNS DST PORT  intf input            intf output                bytes        pkts=============================  ===============  ===============  =============  =============  ====================  ====================  ==========  ==========4          (CUSTB)             10.10.10.2       11.11.11.1                   0           2048  BD300                 Gi0/0/3                   500000         500



> Date: Wed, 7 Jan 2015 16:10:06 +0100
> From: gert at greenie.muc.de
> To: mrantoinemonnier at gmail.com
> CC: cisconsp_list at hotmail.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] flexible netflow - ASR1K / vrf
> 
> Hi,
> 
> On Wed, Jan 07, 2015 at 01:44:50PM +0100, Antoine Monnier wrote:
> > > If I create a test vrf and apply it to a loop interface on both routers,
> > > and enable netflow on them
> > >
> > >  ip flow monitor mm_1 input
> > >
> > > Then ping between the loops (Using src IP of the loops), I see no flows if
> > > I issue:
> > >
> > > show flow monitor mm_1 cache format table
> 
> Netflow needs to be enabled on the actual ingress interface on the router,
> not on the loopback.  There's no "input" traffic on loopbacks (except if
> you use them to bounce traffic around).
> 
> I have no idea whether ASR1k can do netflow for packets arriving MPLS-
> encapsulated, though.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list