Computer and IT knowledge - things to know
-> see debugging from vty's: terminal monitor
First and foremost, to get useful flow information from your Cisco, you'll need to enable flow-switching on the appropriate ingress interfaces using this interface-level configuration statement:
ip route-cache flow
Also, I suggest that you export from your Cisco like this:
ip flow-export version 5 peer-as
ip flow-export destination 10.0.0.1 2055
Of course the IP address and port are determined by your cflowd.conf. To help ensure that flows are exported in a timely fashion, I suggest you also do this if your IOS version supports it:
ip flow-cache timeout active 1
Some IOS versions, e.g. 12.0(9), use this syntax instead:
ip flow-cache active-timeout 1
unless you've specified something such as downward-compatible-config 11.2.
Lastly, in complicated environments, choosing which particular interfaces should have ip route-cache flow enabled is somewhat difficult. For FlowScan, one usually wants it enabled for any interface that is an ingress point for traffic that is from inside to outside or vice-versa. You probably don't want flow-switching enabled for interfaces that carry policy-routed traffic, such as that being redirected transparently to a web cache. Otherwise, FlowScan could count the same traffic twice because of multiple flows being reported for what was essentially the same traffic making multiple passes through a border router. E.g. user-to-webcache, webcache-to-outside world (on behalf of that user).
computer2know :: thank you for your visit :: have a nice day :: © 2022