Today I will discuss the command “ip flow ingress infer-fields”, mostly used in the NetFlow configuration of NetFlow switches. Being the newest member of the Plixer International Tech Support team I am discovering how amazingly large certain networks can get. This is when an outstanding network monitoring and diagnosis capability come in handy.

Speaking of outstanding network monitoring, in my opinion, implies the use of NetFlow Analysis tools. Once you have a tool that works, you also need to make sure the exporters are configured properly. When it is necessary to configure NetFlow exports on a large number of devices, I can only imagine how easy it can be to omit a command or use one on the wrong device.

Use of  “ip flow ingress infer-fields

I quote the Cisco website, it “Enables NetFlow with inferred input/output interfaces and source/destination BGP as information.”

Enabling NetFlow with inferred input/output interfaces and source/destination information on the Catalyst 6500/6000 prevents issues such as source IP address and destination IP address not being seen in IP Flow.  This might happen due to the following reasons:

  • Packets are blocked by an ACL.
  • Multicast traffic
  • Packets destined for the router
  • Tunnels (IPIP, GRE, IPSEC, L2TP) & WCCP
  • DstIf is NULL when the traffic is dropped because of CAR, etc.

What happens whenip flow ingress infer-fieldsis omitted?

Yesterday I was assisting a customer who was missing the “ip flow ingress infer-fields” command in his Catalyst 4500 NetFlow configurations. It appears that the flow sent to Scrutinizer did not contain the information Scrutinizer needed to figure out what traffic went through what interface. Because of this, Scrutinizer grouped all the traffic into instance 0.  In the status tab, click on the link below to see this.

show interfaces view image
show interfaces link

In reality, you can enable netflow exports on the switch by just using the “ip flow ingress” command.  The difference being that the ip flow ingress infer-fields command will export AS information where the “ip flow ingress” command will not export AS information.  Why not send it to the collector if you can?

Now I know where to look first when the “Show interfaces” view groups all the traffic in instance zero.

Dale Locke author pic

Dale

Dale Locke is the Regional Manager for the southeast US at Plixer. He works with prospects to solve the unique needs of their network and visits existing customers to assist with training. He enjoys developing new partnerships and building long lasting relationships with his clients. Dale's favorite hobbies include fishing, hiking, soccer, and football.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply