BradReese.Com Instant Quotes

Home About Repair Power Supplies Refurbished Blog Quick Links Site Map Contact Us

 
Brad Reese how to
Archive
  Help

Aironet

Power Supplies

VoIP Gateways

Cisco Repair

Refurbished Cisco

Cisco CPQRGs

New Cisco

New HP ProCurve

Cisco Tools

Competitive Lab Tests

Tech Forums

How-to Tutorials

CCIE Gossip

Blogroll

  
Archive of Brad's how to

Subscribe to Brad's how to

How to export MAC addresses using Cisco's Flexible NetFlow
Sun, 2/20/11 - 11:59pm    View how to tips and comments

CiscoPlixer InternationalLayer 2 information can be tremendously helpful on a LAN. Having the MAC means you can trace a flow down to a specific device when you have duplicate IP's on a network and also provides information on the vendor.

It might sound like it's just a couple clues, but this information could mean the difference between a one-minute troubleshoot and a one-hour troubleshoot. Here's a good tutorial on how to use MAC address export best practices using Cisco's Flexible Netflow:

Learn the 4 steps of an FNF configuration

Destination MAC address report

Destination MAC address report

When you shouldn't

First of all, it's probably unwise to bother with MAC exports unless you're configuring an edge device. Routers remove the original MAC and replace it with their own when they route a packet. If a router is only connected to other routers and firewalls, you'll only be seeing one MAC for all the IPs coming in on an interface. This amounts to between 10 and 40 (useless) Bytes per flow that must be stored by your collector. Secondly, serial interfaces have no MAC. If you configure a serial interface to export a NetFlow record with a MAC, it will send 00:00:00:00:00 (it has to send something).

When you should

Now that we've gotten the "Don'ts" out of the way, let's look at the "Dos." In a Flexible Netflow configuration you can specify which MAC you want to send for a flow. When assembling your flow record, you can ask the router for a source MAC and/or a destination MAC address. Before you can know what to do, you'll need to understand how the configuration works within Flexible NetFlow.

Here are your options for exporting MAC addresses with NetFlow:

collect datalink mac source address input
!Export the source MAC address as it entered the Router
collect datalink mac destination address input
!Export the destination MAC address as it entered the router
collect datalink mac source address output
!Export the source MAC address as it exited the Router (this will be the MAC address of the interface of the router)
collect datalink mac destination address output
!Export the destination MAC address of the flow as it leaves the router

For more information, view Plixer's video below on how to configure Cisco Flexible NetFlow (FnF) which includes exporting MAC addresses:

The good, the bad and the ugly

Here's an example of both input and output (i.e. post) source MAC addresses being exported from a Cisco 2800 running IOS v15.1:

Source MAC address with NetFlow

Source MAC address with NetFlow

Notice that the "postSourceMacAddress" is the same for all the source IP addresses on the 10.1.0.0 network. That's because they're the MAC address of the router. Flows that went nowhere got 00:00:00:00:00. Also, "sourceMacAddress" shows unique MAC addresses because these devices are on the same network as the gateway router. In the example above, it makes much more sense to use the "input" MAC since these are the actual MAC addresses on the devices on the network.

Not just Cisco

Although we often think of Cisco as being the innovators in NetFlow, other vendors are also proving to bring new ideas to the NetFlow / IPFIX table. Enterasys, SonicWall, nProbe and Juniper are all exporting MAC addresses. Some even export VLANs, URLs, latency and much more.

Filtering for MAC addresses

Network performance measurement vendor - Plixer's NetFlow Analyzer, can filter for the MAC addresses by using the Advanced Filter option which lets you filter on any field exported by the NetFlow Template.

Hopefully, this does a good job of illustrating how you need to think about exporting MAC addresses and where its most appropriate. Give Plixer's Mike Patterson a call at 207-324-8805 ext. 222 or email Mike if you need any help with this.

Visit Brad's how to archive.

Don't be shy, what tips can you provide on how to export MAC addresses using Cisco's Flexible NetFlow?

Contact Brad Reese

Subscribe to Brad's how to

Brad's how to picks

  1. RPS is FAULTY in Cisco 2950 switch
  2. Cisco 6500 power supply and fan tray issues
  3. How to replace a Cisco 6500 switch power supply
  4. Cisco Catalyst 4500 does not recognize 1300 W power supply when used with 1400 W supply
  5. How to configure power supply redundancy in Cisco Catalyst 4500 switches
  6. What are the power supply specifications for a Cisco Catalyst 6500?
  7. How to remotely shutdown the power supply installed in a Cisco Catalyst 6500 with a Supervisor Engine 720 that runs Cisco IOS software
  8. How to configure IP addressing
  9. Reporting on Microsoft Exchange with Cisco NetFlow technology
  10. 4 steps to configure Cisco Flexible NetFlow
  11. How-to configure a free NetFlow forwarder or NetFlow duplicator
  12. How-to setup sampled Cisco NetFlow
  13. How to configure a Cisco Nexus 7000 to export NetFlow v9
  14. How to setup Cisco's Flexible NetFlow (FNF) with LEGO Blocks
  15. How to absolutely guarantee QoS with network traffic
  16. How-to configure Cisco Flexible NetFlow for NBAR exports
  17. How to reduce the high cost of T1 service
  18. How to setup Cisco IP SLA jitter monitors
  19. How to use NAT in overlapping networks
  20. Archive of Brad's how to
 
blog comments powered by Disqus

Brad Reese music work ambience

Supplement Cisco SMARTnet Contracts

 

©2011 BradReese.Com - Home - About - Repair - Power Supplies - Refurbished - Blog - Quick Links - Site Map - Contact Us