Understanding your NetFlow

I was using SevOne at office the other day to pull some reports of the  nonunicast traffic in a vlan to troubleshoot a particular GLBP issue. And  then I wondered what will I do without such tools. Then I became curious  and wanted to know how it actually knows all that information.
SevOne consolidates granular performance data from various data sources  such as SNMP, NetFlow, VoIP, IP SLA, NBAR and WMI onto a unified  dashboard. I want to particularly focus on NetFlow in this paticular  article.

Netflow is a network protocol that was developed by Cisco in 1996. It was  designed to collect IP traffic information. Soon it became an industry  standard for traffic monitoring. There has been several versions of  Netflow developed over the years and its current state is known in the  industry as Flexible NetFlow.

The flow is defined by factors such as Source IP address, Destination IP address, Source port, Destination Port, Layer 3 protocol type.  The version5 which is the most common version in use has 18 such fields.  Version 5 is great if you are just looking for regular IPv4 traffic. It does not provide in depth analysis of the traffic but provides a very good overview of the composition of your traffic flow. The Later versions such as v7 and v8 were extensions of  v5 and had features like router-based aggregation and reduced NetFlow export data volume.

The problem with these versions was that they used fixed export formats that were not flexible and adaptable. This caused the customers to re-engineer for each new version. So they built a more flexible and extensible export format called version 9.  This was done by introducing the notion of template. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format. This new feature supports additional technologies such as MPLS or Multicast.

We also have Internet Protocol Flow Information Export (IPFIX) coming up in the near future which is based on NetFlow Version 9 but acts as a more universal industry standard.

Partial Picture of Internet

EIGRP Stub

When using the EIGRP Stub Routing feature, you need to configure the distribution and remote routers to use EIGRP, and to configure only the remote router as a stub. Only specified routes are propagated from the remote (stub) router. The router responds to queries for summaries, connected routes, redistributed static routes, external routes, and internal routes with the message "inaccessible." A router that is configured as a stub will send a special peer information packet to all neighboring routers to report its status as a stub router. 

Any neighbor that receives a packet informing it of the stub status will not query the stub router for any routes, and a router that has a stub peer will not query that peer. The stub router will depend on the distribution router to send the proper updates to all peers. 

Passive Interface in EIGRP and OSPF

As an extention to the previous lab we also configure OSPF in the above network. So we have both EIGRP and OSPF on both the routers. In order for the routers to choose OSPF over EIGRP we reduce the AD of OSPF from 110 to 5.

Tip: Configure the loopbacks under OSPF point-to-point network. Otherwise OSPF will make them  a /32 network no matter what the actual subnet is.

Now we will check the effect of passive-interface command in OSPF.
1. Enable wireshark capture on R3 fa0/0. Also turn on debug commands on routers.
2. Make fa0/0 on R2 a OSPF passive-interface
3. OSPF drops off and EIGRP kicks in.

*Mar  1 13:39:58.352: %OSPF-5-ADJCHG: Process 1, Nbr 120.120.120.120 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2#
*Mar  1 13:39:59.788: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar  1 13:40:03.868: IP-EIGRP(Default-IP-Routing-Table:1): route installed for 110.110.110.0  ()
*Mar  1 13:40:03.872: IP-EIGRP(Default-IP-Routing-Table:1): route installed for 120.120.120.0  ()
*Mar  1 13:40:03.872: IP-EIGRP(Default-IP-Routing-Table:1): route installed for 100.100.100.100  ()
Sh ip route output before:
Gateway of last resort is not set

     100.0.0.0/32 is subnetted, 1 subnets
O IA    100.100.100.100 [5/11] via 23.23.23.2, 00:00:06, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
C       33.33.33.0 is directly connected, Loopback3
     23.0.0.0/30 is subnetted, 1 subnets
C       23.23.23.0 is directly connected, FastEthernet0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback2
     110.0.0.0/24 is subnetted, 1 subnets
O IA    110.110.110.0 [5/11] via 23.23.23.2, 00:00:06, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.10.0 is directly connected, Loopback0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, Loopback1
     120.0.0.0/24 is subnetted, 1 subnets
O IA    120.120.120.0 [5/11] via 23.23.23.2, 00:00:08, FastEthernet0/0

Sh ip route output after:

Gateway of last resort is not set

     100.0.0.0/32 is subnetted, 1 subnets
D       100.100.100.100 [90/409600] via 23.23.23.2, 00:02:21, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
C       33.33.33.0 is directly connected, Loopback3
     23.0.0.0/30 is subnetted, 1 subnets
C       23.23.23.0 is directly connected, FastEthernet0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback2
     110.0.0.0/24 is subnetted, 1 subnets
D       110.110.110.0 [90/409600] via 23.23.23.2, 00:02:21, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.10.0 is directly connected, Loopback0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, Loopback1
     120.0.0.0/24 is subnetted, 1 subnets
D       120.120.120.0 [90/409600] via 23.23.23.2, 00:02:22, FastEthernet0/0





R3 fa0/0 is still receiving hello packets fro R3 fa0/0.. Since R3 is the DR router but there is no response from the other end..