2

I have a Cisco 6500 switch that I want to capture all vlan8 traffic incoming and outgoing. I talked with my networking group and they set me up with the following commands. (May not be exact commands but this was an example I gave them)

conf t
ip flow-export version 5
ip flow-export destination 192.168.20.30 1234
int vlan8
ip flow egress
ip flow ingress
ip route-cache flow

I am currently capturing this data using Ntop and we are getting a lot of traffic. I see all incoming and outgoing traffic from all vlan8 machines (192.168.8.0/24). However for any machine that is not in vlan8, but is talking to vlan8, I only see the received traffic from them.

Ex. 192.168.8.10 goes to a website on 192.168.9.20
I only see received traffic from the 192.168.9.20 machine and no sent traffic. Obviously it has sent traffic because 192.168.8.10 received the website.

I just wanted to verify that this is how Netflow captures data and that everything is working correctly. It kinda makes sense to me that sense 192.168.9.20 isn't in vlan8 it may not get the outbound traffic (even though it sends it to vlan8). Ideally I'd want sent and received traffic from anything that touches vlan8. Thanks.

2 Answers2

0

We've had issues with ip flow ingress and ip flow egress running on the same interface causing this type of behavior.

Try removing those two commands and dropping down to simply ip route-cache flow and see if that helps.

interface vlan 8
 no ip flow egress
 no ip flow ingress
Jason Seemann
  • 1,120
  • 6
  • 9
0

It is not necessary to have both the ingress and egress statements. The statements do not indicate the direction of the traffic that you want to report on. They indicate at what point do you want to report the traffic.

henklu
  • 111
  • 1