interface names in flexible netflow with cisco 1811

Scrutinizer is an enterprise/business class NetFlow and sFlow analysis tool. Scrutinizer provides historical trends of the company's critical network interfaces as well as the details on:

Who: The end system causing the traffic
What: The application/protocol that is being used
When: The time frame it has been occurring for
Where: The network connection that is affected

Moderators: scottr, Moderator Team

Post Reply
BENKHESA01
Posts: 1
Joined: Mon Jan 09, 2017 9:40 pm

interface names in flexible netflow with cisco 1811

Post by BENKHESA01 » Mon Jan 09, 2017 10:23 pm

HI all,

I would like to know why Scrutinizer is not able to display the right names for the exported interfaces of the router. I'm able to confirm that the template interfaces and application tables are exported

Router:
Firmeware: c181x-advipservicesk9-mz.151-4.M6.bin
Chassis: Cisco 1811 (MPC8500) with 256MB DRAM/62MB FLASH
Router configuration:

Code: Select all

flow record flow_rec_applicationtraffic
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport tcp source-port
 match transport tcp destination-port
 match interface input
 match flow direction
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect ipv4 dscp
 collect ipv4 ttl
 collect ipv4 source prefix
 collect ipv4 destination prefix
 collect transport tcp flags
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
 collect application name

Code: Select all

flow exporter flow-exporter-fnfv9-defaultexporter
 description default exporter to 192.168.2.254 2055
 destination 192.168.2.254
 source Loopback0
 transport udp 2055
 option interface-table
 option application-table
 

Code: Select all

flow monitor flow_mon_advmonitor
 description advanced monitor for applications
 record flow_rec_applicationtraffic
 exporter flow-exporter-fnfv9-defaultexporter
 cache timeout active 60
I enabled Flexible Netflow on WAN interface F0 with this command

Code: Select all

 ip flow monitor flow_mon_advmonitor input
This is the result of the export statistics/templates in the export

Code: Select all

rt.openmind.local#$sh flow exporter flow-exporter-fnfv9-defaultexporter statistics 
Flow Exporter flow-exporter-fnfv9-defaultexporter:
  Packet send statistics (last cleared 5d02h ago):
    Successfully sent:         89386                 (31475145 bytes)
    Adjacency failure:         3729                  (3679002 bytes)

  Client send statistics:
    Client: Flow Monitor flow-monitor-fnfv9-defaultmonitor
      Records added:           551735
        - sent:                486013
        - failed to send:      65722
      Bytes added:             29241955
        - sent:                25758689
        - failed to send:      3483266

    Client: Option options application-name
      Records added:           6680
        - sent:                6680
      Bytes added:             554440
        - sent:                554440

    Client: Option options interface-table
      Records added:           120
        - sent:                120
      Bytes added:             12000
        - sent:                12000

    Client: Flow Monitor flow_mon_advmonitor
      Records added:           5687
        - sent:                5686
      Bytes added:             398090
        - sent:                398020

rt.openmind.local#$sh flow exporter flow-exporter-fnfv9-defaultexporter templates 
Flow Exporter flow-exporter-fnfv9-defaultexporter:
  Client: Flow Monitor flow-monitor-fnfv9-defaultmonitor
  Exporter Format: NetFlow Version 9
  Template ID    : 256
  Source ID      : 0
  Record Size    : 53
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | ipv4 source address                     |     8 |     0  |     4  |
  | ipv4 destination address                |    12 |     4  |     4  |
  | flow sampler                            |    48 |     8  |     4  |
  | interface input snmp                    |    10 |    12  |     4  |
  | transport source-port                   |     7 |    16  |     2  |
  | transport destination-port              |    11 |    18  |     2  |
  | ip tos                                  |     5 |    20  |     1  |
  | ip protocol                             |     4 |    21  |     1  |
  | ipv4 source mask                        |     9 |    22  |     1  |
  | ipv4 destination mask                   |    13 |    23  |     1  |
  | transport tcp flags                     |     6 |    24  |     1  |
  | routing source as                       |    16 |    25  |     2  |
  | routing destination as                  |    17 |    27  |     2  |
  | routing next-hop address ipv4           |    15 |    29  |     4  |
  | counter bytes                           |     1 |    33  |     4  |
  | counter packets                         |     2 |    37  |     4  |
  | timestamp sys-uptime first              |    22 |    41  |     4  |
  | timestamp sys-uptime last               |    21 |    45  |     4  |
  | interface output snmp                   |    14 |    49  |     4  |
  ---------------------------------------------------------------------
  Client: Option options application-name
  Exporter Format: NetFlow Version 9
  Template ID    : 257
  Source ID      : 0
  Record Size    : 87
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | v9-scope system                         |     1 |     0  |     4  |
  | application id                          |    95 |     4  |     4  |
  | application name                        |    96 |     8  |    24  |
  | application description                 |    94 |    32  |    55  |
  ---------------------------------------------------------------------
  Client: Option options interface-table
  Exporter Format: NetFlow Version 9
  Template ID    : 258
  Source ID      : 0
  Record Size    : 104
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | v9-scope system                         |     1 |     0  |     4  |
  | interface input snmp                    |    10 |     4  |     4  |
  | interface name                          |    82 |     8  |    32  |
  | interface description                   |    83 |    40  |    64  |
  ---------------------------------------------------------------------
  Client: Flow Monitor flow_mon_advmonitor
  Exporter Format: NetFlow Version 9
  Template ID    : 259
  Source ID      : 0
  Record Size    : 70
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | ipv4 source address                     |     8 |     0  |     4  |
  | ipv4 destination address                |    12 |     4  |     4  |
  | interface input snmp                    |    10 |     8  |     4  |
  | transport tcp source-port               |   182 |    12  |     2  |
  | transport tcp destination-port          |   183 |    14  |     2  |
  | flow direction                          |    61 |    16  |     1  |
  | ip tos                                  |     5 |    17  |     1  |
  | ip protocol                             |     4 |    18  |     1  |
  | transport tcp flags                     |     6 |    19  |     1  |
  | ip dscp                                 |   195 |    20  |     1  |
  | ip ttl                                  |   192 |    21  |     1  |
  | routing source as                       |    16 |    22  |     2  |
  | routing destination as                  |    17 |    24  |     2  |
  | routing next-hop address ipv4           |    15 |    26  |     4  |
  | ipv4 source prefix                      |    44 |    30  |     4  |
  | ipv4 destination prefix                 |    45 |    34  |     4  |
  | timestamp sys-uptime first              |    22 |    38  |     4  |
  | timestamp sys-uptime last               |    21 |    42  |     4  |
  | application id                          |    95 |    46  |     4  |
  | interface output snmp                   |    14 |    50  |     4  |
  | counter bytes long                      |     1 |    54  |     8  |
  | counter packets long                    |     2 |    62  |     8  |
  ---------------------------------------------------------------------
This is an example of a flow in the cache of the monitor:

Code: Select all

rt.openmind.local#sh flow monitor flow_mon_advmonitor cache 
  Cache type:                               Normal
  Cache size:                                 4096
  Current entries:                              32
  High Watermark:                              127

  Flows added:                                5990
  Flows aged:                                 5958
    - Active timeout      (    60 secs)       1076
    - Inactive timeout    (    15 secs)       4882
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0

IPV4 SOURCE ADDRESS:       52.89.213.60
IPV4 DESTINATION ADDRESS:  192.222.157.211
TCP SOURCE PORT:           443
TCP DESTINATION PORT:      34928
[b]INTERFACE INPUT:           Fa0[/b]
FLOW DIRECTION:            Input
IP TOS:                    0x00
IP PROTOCOL:               6
ip source as:              0
ip destination as:         0
ipv4 next hop address:     192.168.2.4
ipv4 source prefix:        0.0.0.0
ipv4 destination prefix:   192.222.157.0
tcp flags:                 0x18
[b]interface output:          Vl2[/b]
counter bytes long:        1271
counter packets long:      11
timestamp first:           22:06:27.944
timestamp last:            22:07:18.024
ip dscp:                   0x00
ip ttl:                    37
[b]application name:          nbar secure-http[/b]

capture from wireshark:

Code: Select all

Frame 6608: 1340 bytes on wire (10720 bits), 1340 bytes captured (10720 bits) on interface 0
Ethernet II, Src: CiscoInc_96:70:e8 (00:25:45:96:70:e8), Dst: IntelCor_2e:cd:a9 (4c:eb:42:2e:cd:a9)
Internet Protocol Version 4, Src: 192.168.6.2, Dst: 192.168.2.254
User Datagram Protocol, Src Port: 56091, Dst Port: 2055
Cisco NetFlow/IPFIX
    Version: 9
    Count: 13
    SysUptime: 518309.848000000 seconds
    Timestamp: Jan  9, 2017 21:22:00.000000000 EST
    FlowSequence: 107601
    SourceId: 0
    FlowSet 1 [id=1] (Options Template): 258
        FlowSet Id: Options Template(V9) (1)
        FlowSet Length: 26
        Options Template (Id = 258) (Scope Count = 1; Data Count = 3)
    FlowSet 2 [id=258] (12 flows)
        FlowSet Id: (Data) (258)
        FlowSet Length: 1252
        [Template Frame: 6608]
        Flow 1
            ScopeSystem: c0a80602
            InputInt: 13
            IfName: As1
            IfDescr: Async1
        Flow 2
            ScopeSystem: c0a80602
            InputInt: 1
            IfName: Fa0
            IfDescr: FastEthernet0
        Flow 3
            ScopeSystem: c0a80602
            InputInt: 2
            IfName: Fa1
            IfDescr: FastEthernet1
        Flow 4
            ScopeSystem: c0a80602
            InputInt: 3
            IfName: Fa2
            IfDescr: FastEthernet2
        Flow 5
            ScopeSystem: c0a80602
            InputInt: 4
            IfName: Fa3
            IfDescr: FastEthernet3
        Flow 6
            ScopeSystem: c0a80602
            InputInt: 5
            IfName: Fa4
            IfDescr: FastEthernet4
        Flow 7
            ScopeSystem: c0a80602
            InputInt: 6
            IfName: Fa5
            IfDescr: FastEthernet5
        Flow 8
            ScopeSystem: c0a80602
            InputInt: 7
            IfName: Fa6
            IfDescr: FastEthernet6
        Flow 9
            ScopeSystem: c0a80602
            InputInt: 8
            IfName: Fa7
            IfDescr: FastEthernet7
        Flow 10
            ScopeSystem: c0a80602
            InputInt: 9
            IfName: Fa8
            IfDescr: FastEthernet8
        Flow 11
            ScopeSystem: c0a80602
            InputInt: 10
            IfName: Fa9
            IfDescr: FastEthernet9
        Flow 12
            ScopeSystem: c0a80602
            InputInt: 14
            IfName: Lo0
            IfDescr: Loopback0


Frame 15092: 404 bytes on wire (3232 bits), 404 bytes captured (3232 bits) on interface 0
Ethernet II, Src: CiscoInc_96:70:e8 (00:25:45:96:70:e8), Dst: IntelCor_2e:cd:a9 (4c:eb:42:2e:cd:a9)
Internet Protocol Version 4, Src: 192.168.6.2, Dst: 192.168.2.254
User Datagram Protocol, Src Port: 56091, Dst Port: 2055
Cisco NetFlow/IPFIX
    Version: 9
    Count: 4
    SysUptime: 518910.848000000 seconds
    Timestamp: Jan  9, 2017 21:32:01.000000000 EST
    FlowSequence: 108221
    SourceId: 0
    FlowSet 1 [id=1] (Options Template): 258
        FlowSet Id: Options Template(V9) (1)
        FlowSet Length: 26
        Options Template (Id = 258) (Scope Count = 1; Data Count = 3)
    FlowSet 2 [id=258] (3 flows)
        FlowSet Id: (Data) (258)
        FlowSet Length: 316
        [Template Frame: 6608]
        Flow 1
            ScopeSystem: c0a80602
            InputInt: 15
            IfName: NV0
            IfDescr: NVI0
        Flow 2
            ScopeSystem: c0a80602
            InputInt: 12
            IfName: Vl1
            IfDescr: Vlan1
        Flow 3
            ScopeSystem: c0a80602
            InputInt: 16
            IfName: Vl2
            IfDescr: Vlan2


But in Scrutinizer I only see:Instance 1, Instance 16, Instance 0 even after deleting the exporter in scrutinizer.

So can someone tell me what to do to get Scrutinizer recognize the interface names.



Regards,

jennm
Posts: 6
Joined: Thu Jun 09, 2016 11:36 am

Re: interface names in flexible netflow with cisco 1811

Post by jennm » Tue Jan 10, 2017 12:17 pm

Hello,

Here are a few things that you can check:

1) Under Admin > Definitions > SNMP credentials make sure your SNMP Community strings are entered correctly

2) Under Admin >Definitions > Manage exporters make sure that each exporter is assigned to the proper SNMP Community

3) On the manage exporters screen run Update SNMP to refresh the information. If the SNMP for the exporter comes back as TIMEOUT : SNMP rather than Updated Scrutinizer is not able to connect with the SNMP on the exporter. Please double check your settings.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests