What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

netflow registering traffic on incorrect interface

Votes:

0

I have a cisco 2911 router v15.3(1)T with 2 interfaces on which I want to track Netflow data. One is a tunnel interface and the other is gigabitethernet. The tunnel is a backup path and should always have zero production traffic traversing it when the gigabitethernet interface is up.

Functionally the router is doing what it is supposed to. All the traffic is being routed through the gigabitethernet interface. when I do a "show int Tunnel1701" I get the following output, which appears correct:

-----------------------------------------------------------------
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1556 packets input, 137192 bytes, 0 no buffer
     3 packets output, 408 bytes, 0 underruns
-----------------------------------------------------------------

However, the associated sensor in PRTG is registering between 200 and 1000kbps of traffic continuously. Here's the relevant config on the router...

-----------------------------------------------------------------
 ip flow-cache timeout active 1

interface Loopback0
 ip address 192.168.96.5 255.255.255.255

interface Tunnel1701
 description DMVPN backup WAN interface
 ip flow ingress
 snmp ifindex persist

interface GigabitEthernet0/0
 description WAN interface
 ip flow ingress
 snmp ifindex persist

ip flow-export source Loopback0
ip flow-export version 9
ip flow-export interface-names
ip flow-export destination 192.168.1.187 9995
-----------------------------------------------------------------

And the relevant interface indices are 2 and 20:

-----------------------------------------------------------------
SP-RT-CS2911-01#sh snmp mib ifmib ifindex
GigabitEthernet0/0: Ifindex = 2
Tunnel1701: Ifindex = 20
-----------------------------------------------------------------

In PRTG I have these sensors defined as Custom Netflow v9. The receive port is set to 9995, the Active Flow Timeout is set to 1 minute, and sampling mode is off. All my custom channels are based on only source and destination port number, nothing else. Logging of stream data is disabled. The include filter is "Interface[20]" for the tunnel and "Interface[2]" for the gige port.

Am I missing something important? Oddly, the PRTG graphs for the two interfaces are NOT identical... but the tunnel graph shows continuous traffic in the hundreds of kbps which the routing table and the "sh int" output of the router indicate does not exist.

THanks, -Mat Rouch

cisco filter netflow

Created on Mar 26, 2013 6:42:26 PM

Last change on Mar 27, 2013 2:18:24 PM by Torsten Lindner [Paessler Support]



1 Reply

Votes:

0

Hello,

The cause is most likely that the interface [] filter numbers you are using, are not the same as the ifindexes. Please enable the Log Stream Data to Disk - option on the sensor. The resulting CSV-File will feature the interface numbers in it.

best regards.

Created on Mar 28, 2013 3:48:00 PM by Torsten Lindner [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.