01-04-2013 03:28 AM - edited 02-21-2020 06:35 PM
Hi,
I have a case where our client have an IPSec Site-to-Site tunnel where traffic is being hair-pinned on a 2901 router.
They would like to collect netflow data on the decrypted payload for accounting purposes.
The problem is that according to order-of-operations on the IOS router, the netflow is recorded before the packet is decrypted ingress, and after the packet is encrypted egress.
Is there a solution to this, or does anyone have any experience with alternate solutions for this scenario?
(e.g SPAN encrypted traffic to a second device which decrypts and generate netflow data?)
Best Regards,
Steffen
Solved! Go to Solution.
01-07-2013 12:17 AM
Hey Steffen,
Yes the cef path is then different[ Crypto map is an output feature while Tunnel Protection is a post-encap feature].
Therefore we can apply any output feature such as netflow on a tunnel or virtual-template interface since then we match the traffic post-decapsulation.
An example from one of my box [ ping from a vpn peer to 4.2.2.2 ]. Netflow catches the traffic after decryption.
R1-HUB#sh ip cache flow | i Vi1
Vi1 172.16.1.1 Et0/1 4.2.2.2 01 0000 0800 153
Cheers,
Olivier
01-04-2013 10:25 AM
Hello Steffen,
You may need to configure Flexible NetFlow. Here are a couple blogs that explain it:
http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/
http://www.plixer.com/blog/flexible-netflow/netflow-export-over-ipsec-tunnel/
If they help, please vote on my reply.
Thank you,
Jake Wilson
01-05-2013 08:52 AM
Hi Jake,
Sorry, but you've misunderstood the question.
I dont want to export netflow data over the IPSec tunnel, I want to collect Netflow data based on the payload in the encrypted IPSec packet.
IE the flow between the actual hosts which is encapsulated inside the IPSec tunnel, not the IPSec packets between the VPN peers.
01-06-2013 10:40 PM
Hey Steffen,
Instead of using a crypto map, if you would use a DVTI or VTI instead then you could apply netflow on the tunnel or on the virtual-template interface. That's the only workaround I've in mind.
Cheers,
Olivier
01-06-2013 11:15 PM
Hi Oliver,
Yea, we'll probably do that anyway, but will that solve my problem?
Does the tunnel interfaces have a different order of operation than physical interfaces?
01-07-2013 12:17 AM
Hey Steffen,
Yes the cef path is then different[ Crypto map is an output feature while Tunnel Protection is a post-encap feature].
Therefore we can apply any output feature such as netflow on a tunnel or virtual-template interface since then we match the traffic post-decapsulation.
An example from one of my box [ ping from a vpn peer to 4.2.2.2 ]. Netflow catches the traffic after decryption.
R1-HUB#sh ip cache flow | i Vi1
Vi1 172.16.1.1 Et0/1 4.2.2.2 01 0000 0800 153
Cheers,
Olivier
01-07-2013 12:41 AM
Awsome, thank you Oliver!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide