A customer called the other day regarding NetFlow collection and interface descriptions not matching the correct interface instance numbers.  I’d seen this issue before and knew it was not related to the NetFlow configuration, but rather that the device in question was exporting the wrong interface information in the NetFlow packets.

Michael Patterson addressed this issue in his blog, “Messed Up Interface names in Scrutinizer” in February.

To summarize Michael’s blog, the device in question was including interface instance numbers from enterprise mibs in the NetFlow packets, and most NetFlow Traffic Analyzers get the interface descriptions from the standard MIB-2 ifIndex tables.

Vendors/products that have exhibited this interface instance mismatch are:

• Alcatel-Lucent SR 7750 running TMOS-C-5.0.R21.
• Huawei NetStream
• Cisco ASA
• Enterasys NetFlow v5

Cisco has since corrected this issue with the Cisco ASA with the release of version 8.2(2).

Enterasys resolved the issue with NetFlow v9 exports.

For the Alcatel-Lucent SR 7750 and the Huawei devices,  we have developed scripts to address this issue.  For more information on obtaining these patches, please contact Plixer Sales department at 207-324-8805 x3.

We are working to identify other vendors that have also used enterprise MIBs for the interface instances.  We are addressing this issue both with the vendors directly, and by providing patches that will permit Scrutinizer to report the correct interface information in the NetFlow reports.

If you’re currently using Scrutinizer NetFlow Analyzer and are seeing this issue with a device not listed above, please let us know.  If you’re not using Scrutinizer, Plixer’s NetFlow collector,  the free download comes with a 30 day evaluation key and free technical support on initial setup and configuration.

- Joanne

Tags: ASA, Cisco ASA, Cisco NetFlow, NetFlow Analyzer, NetFlow Collector, NetFlow reporting, NetFlow v9, NetStream

This entry was posted on Wednesday, April 28th, 2010 at 9:55 am and is filed under ASA, NetFlow, NetFlow Analyzer, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.