Using Netflow with my Cisco 2811

Salonge used Ask the Experts™
Hi all

I have been using Scrutinizer to monitor bandwidth of our wan for over a year.  Recently, we purchased an additional T-1 and with that came a new Cisco Router 2811.  We did not change the device IP's but Scrutinizer will not pick up the device.  I went into the router and put in the correct netflow commands in the interface - fastethernet 0/0. I have two interfaces and the software will not see either interface.  

I can even do an IP export-flow cache  and see the flows coming from the interface.  My problem starts when Scrutinizer no longer will see the device.

Also when I try to ping any inside device from the new router, it will not ping.  I can ping the router from any device on my network.

What am I missing here.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Does the router have an external (public) or internal IP?
Did the IP addressing change when you got the new router, and is there a firewall inbetween that you need to adjust the NAT pass through on?


Vanbarsoun - the router has an external IP and not an internal.  Neither did the old one.  The IP did not change from the old interface to the new interface.  Cheever000 - there is a firewall between that and my netflow server, but the only thing that changed in the entire scheme was the router itself.  On my new router.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Have you checked the firewall log to see if the router traffic is being blocked for some reason?


no, I did not.  We have a Unix box and I am not certain of the commands to do that.  I tried to ping the firewall from the router and it will not connect.  I can ping the router from my server, but I cannot ping my server from the router.  When this was initially set up, we set our firewall up to get flows and that is still working fine.
could you post the netflow section of your config here too, you see flows when you do an sho ip cache flow

and sho ip flow export?


I can see flows when I do sho ip cache flow and sho ip flow export.

ip flow-cache timeout active 1
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 2055
Do the router know where the network is?

Do you have a static route back to the firewall for the 10.100.90.X network?  it may be sending the flows towards the default route which i would assume is the ISP gateway?


I don't know how to answer that question.  I can ping the router from that IP, but I can't ping the IP from the router.  Nor can I ping any device from that router.  There seems to be something I am missing in the router itself.  That was the only change, we swapped routers.  The new router has 2 fast ethernet interfaces; 2 serial interfaces; and a multilink interface.  We are using the multilink interface and one of the fast ethernet interfaces.  the device we are using is the fast ethernet and the IP associated with it did not change.
The firewall is natting the IP probably, sending responses back to an outside address

do a sho ip route and see if you see the 10.100.90.X network.

if not just add
ip route X.X.X.X

I am of course assuming that is a 24 network and x.x.x.x is the outside of the firewall.

Now that I think about this are you sure your netflow host is correct if the firewall is port forwarding it may be an external address in interface range between the firewall and router?


Thank you , in the IP route command, what is the x x x x?
thats the IP of the gateway to the 10 network which would be the firewalls, interface that connects to the router's IP


"Now that I think about this are you sure your netflow host is correct if the firewall is port forwarding it may be an external address in interface range between the firewall and router?"  I am not sure.  I will add the IP route to see what happens.  Here is what I receive when I do the IP route.

Router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile,
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter a
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external typ
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-
       ia - IS-IS inter area, * - candidate default, U - per-user
       o - ODR, P - periodic downloaded static route, + - replicat

Gateway of last resort is to network

S* is directly connected, Multilink1 is variably subnetted, 2 subnets, 2 masks
C is directly connected, FastEthernet0/0
L is directly connected, FastEthernet0/0 is variably subnetted, 2 subnets, 2 masks
C is directly connected, Multilink1
L is directly connected, Multilink1
there is a good chance that the IP address you need to send it is in the range some where.  But try adding the route to the 10.100 network and see if anything starts working?


Nothing changed when I added the IP route.


I was able to fix the issue by adding a different ip destination to the router.  Thanks for all your help.
If that is the case I believe I was some help with resolving this as my suggestions pointed to changing the host ip that router was forwarding traffic to.


Yes, you were.  I will award you the points.  Just for the record though, the IP flow-export destination was one in the range of IP's that I did not know anything about.  I had to go into the  old router, they left it, and I found the old configuration.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial