Maybe that information help you. I ask that question in cisco mail list: The destination null 0 usually means the packets for the flow are not switched out the box. NetFlow also run's before other features in the switching path and may not be aware of loopback 0 and reports null.
> > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:cisco-nsp- > > [EMAIL PROTECTED] On Behalf Of news.gmane.org > > Sent: Thursday, February 23, 2006 1:37 PM > > To: [EMAIL PROTECTED] > > Subject: [c-nsp] Netflow & NAT problem > > > > Hello, > > > > Have some problem with Cisco 3640 with Netflow working when NAT used. > > > > cisco-3640#sh ver > > Cisco Internetwork Operating System Software > > IOS (tm) 3600 Software (C3640-IO3-M), Version 12.2(32), RELEASE SOFTWARE > > (fc1) > > Copyright (c) 1986-2005 by cisco Systems, Inc. > > Compiled Fri 02-Dec-05 15:19 by > > Image text-base: 0x60008930, data-base: 0x60A88000 > > > > ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE > > SOFTWARE (fc1) > > > > cisco-3640 uptime is 4 hours, 3 minutes > > System returned to ROM by reload > > System image file is "flash:c3640-io3-mz.122-32.bin" > > > > cisco 3640 (R4700) processor (revision 0x00) with 61440K/4096K bytes of > > memory. > > Processor board ID 21961002 > > R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 > > Bridging software. > > X.25 software, Version 3.0.0. > > 2 Ethernet/IEEE 802.3 interface(s) > > 1 FastEthernet/IEEE 802.3 interface(s) > > 2 Serial network interface(s) > > DRAM configuration is 64 bits wide with parity disabled. > > 125K bytes of non-volatile configuration memory. > > 8192K bytes of processor board System flash (Read/Write) > > > > Configuration register is 0x2102 > > > > When i use debug ip policy i see, that my route map is work and all NAT > > traffic go to Loopback0, where i must it see in NetFlow (as comming to > > interface) > > > > 04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15, len 40, > > policy match > > 04:04:36: IP: route map netflow_nat, item 10, permit > > 04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15 > > (Loopback0), len 40, policy routed > > 04:04:36: IP: Ethernet0/0 to Loopback0 192.168.23.15 > > > > But as you can see, i have Null instead of Loopback0 in DstInt: > > > > а cisco-3640#sh ip cache flow | include 66.225.214.106 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 100C > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 100F > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 1008 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 1007 > > 3 > > Et0/1 192.168.23.15 Et0/0 66.225.214.106 06 0F57 22B8 > > 22 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 22B8 0F57 > > 25 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EAA > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EA6 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EE3 > > 6 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EC3 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0E71 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FA9 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FBB > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F8C > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F8F > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F98 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F94 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FEF > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FE7 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FE3 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FF2 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FF3 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FCF > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FC5 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FD4 > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F1C > > 9 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F19 > > 6 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F1A > > 4 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F6A > > 3 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F64 > > 4 > > Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F7F > > 3 > > > > Also show my config, maybe somebody know what i can do with that. > > > > Current configuration : 12674 bytes > > ! > > version 12.2 > > service timestamps debug uptime > > service timestamps log uptime > > service password-encryption > > ! > > hostname cisco-3640 > > ! > > boot system flash c3640-io3-mz.122-32.bin > > no logging console guaranteed > > aaa new-model > > ! > > ip subnet-zero > > no ip rcmd domain-lookup > > ip rcmd rsh-enable > > ip flow-cache entries 4094 > > ip flow-cache timeout inactive 240 > > ip flow-cache timeout active 45 > > ip cef > > ! > > ! > > ip audit notify log > > ip audit po max-events 100 > > ! > > ! > > ! > > interface Loopback0 > > ip address 193.xxx.xxx.225 255.255.255.255 > > no ip unreachables > > no ip proxy-arp > > ip route-cache flow > > no ip mroute-cache > > no keepalive > > ! > > interface Tunnel0 > > ip address 192.168.200.1 255.255.255.0 > > ip access-group 199 in > > ip mtu 1470 > > ip nat inside > > ip route-cache flow > > no ip mroute-cache > > tunnel source 172.16.1.1 > > tunnel destination 172.16.0.1 > > tunnel mode ipip > > ! > > interface Ethernet0/0 > > ip address 172.16.1.1 255.255.255.0 secondary > > ip address 195.xxx.xxx.66 255.255.255.192 > > ip access-group 199 in > > no ip unreachables > > no ip proxy-arp > > ip nat outside > > ip route-cache flow > > no ip mroute-cache > > ip policy route-map netflow_nat > > no keepalive > > half-duplex > > no cdp enable > > ! > > interface Serial0/0 > > no ip address > > shutdown > > ! > > interface Ethernet0/1 > > ip address 192.168.4.250 255.255.255.0 secondary > > ip address 193.xxx.xxx.253 255.255.255.252 secondary > > ip address 193.xxx.xxx.65 255.255.255.192 > > ip access-group 199 in > > no ip unreachables > > no ip proxy-arp > > ip nat inside > > rate-limit input access-group 115 96000 18000 36000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 117 256000 48000 96000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 119 64000 12000 24000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 121 96000 18000 36000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 123 96000 18000 36000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 125 96000 18000 36000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 127 96000 18000 36000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 129 64000 12000 24000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 131 64000 12000 24000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 135 64000 12000 24000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 137 128000 24000 48000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 139 64000 12000 24000 conform-action > > transmit exceed-action drop > > ip route-cache flow > > no ip mroute-cache > > no keepalive > > half-duplex > > traffic-shape group 116 96000 12000 12000 128 > > traffic-shape group 118 256000 32000 32000 128 > > traffic-shape group 120 64000 8000 8000 128 > > traffic-shape group 122 96000 12000 12000 128 > > traffic-shape group 124 96000 12000 12000 128 > > traffic-shape group 126 96000 12000 12000 128 > > traffic-shape group 128 96000 12000 12000 128 > > traffic-shape group 130 64000 8000 8000 128 > > traffic-shape group 132 64000 8000 8000 128 > > traffic-shape group 136 64000 8000 8000 128 > > traffic-shape group 138 128000 16000 16000 128 > > traffic-shape group 140 64000 8000 8000 128 > > no cdp enable > > ! > > interface Serial0/1 > > no ip address > > shutdown > > ! > > interface FastEthernet2/0 > > ip address 193.xxx.xxx.9 255.255.255.192 > > ip access-group 199 in > > no ip unreachables > > no ip proxy-arp > > ip nat inside > > rate-limit input access-group 111 512000 96000 192000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 113 96000 18000 36000 conform-action > > transmit exceed-action drop > > rate-limit input access-group 133 32000 6000 12000 conform-action > > transmit exceed-action drop > > ip route-cache flow > > no ip mroute-cache > > no keepalive > > speed 100 > > full-duplex > > traffic-shape group 112 512000 32000 32000 512 > > traffic-shape group 114 96000 12000 12000 128 > > traffic-shape group 134 32000 4000 4000 128 > > no cdp enable > > ! > > ip nat inside source list 5 interface Ethernet0/0 overload > > ip nat inside source list 102 interface Ethernet0/0 overload > > ip flow-export source FastEthernet2/0 > > ip flow-export version 5 > > ip flow-export destination 193.xxx.xxx.1 2100 > > ip classless > > no ip http server > > ! > > access-list 5 permit 192.168.1.249 > > access-list 5 permit 192.168.1.253 > > access-list 5 permit 192.168.4.0 0.0.0.255 > > access-list 5 permit 192.168.12.0 0.0.0.255 > > access-list 5 permit 192.168.14.0 0.0.0.255 > > access-list 5 permit 192.168.23.0 0.0.0.255 > > access-list 5 permit 192.168.6.0 0.0.0.255 > > access-list 5 permit 192.168.29.0 0.0.0.255 > > access-list 5 permit 192.168.20.0 0.0.0.255 > > access-list 5 permit 192.168.5.0 0.0.0.255 > > access-list 5 permit 192.168.30.0 0.0.0.255 > > access-list 102 permit ip any host 212.109.57.226 > > access-list 102 permit ip any host 213.186.198.70 > > access-list 102 permit ip any host 62.244.21.62 > > access-list 102 permit ip any host 212.82.220.134 > > access-list 103 permit ip any 192.168.0.0 0.0.255.255 > > access-list 199 remark Zhashishaemsa ot nekotorih virusov > > access-list 199 deny tcp any any eq 135 > > access-list 199 deny udp any any eq 135 > > access-list 199 permit ip any any > > ! > > route-map netflow_nat permit 10 > > match ip address 103 > > set interface Loopback0 Ethernet0/0 > > ! > > line con 0 > > line aux 0 > > line vty 0 4 > > ! > > end > > > > _______________________________________________ > > cisco-nsp mailing list [EMAIL PROTECTED] > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Sven Anderson пишет: > Hi Peter, > > Peter Nixon, 23.05.2006 22:26: > >> This is not what I am seeing on my system nor what cisco says at: >> http://www.cisco.com/application/pdf/en/us/guest/products/ps6601/c1244/cdccont_0900aecd8045b422.pdf >> >> "Since both the ping and the Telnet session were part of a two-way flow of >> traffic, we might expect four NetFlow records, rather than two. For each >> traffic type, one flow represents traffic on the way out; another flow >> represents traffic on the way back. However, with one exception to be >> discussed later, NetFlow only track flows on the physical ingress port, not >> the egress port. In this example, NetFlow had been disabled intentionally on >> interface Fa4/0, so that this issue could be illustrated. In order to track >> the two-way nature of IP traffic flows, it is necessary to enable NetFlow on >> all interfaces of a router." >> > > ok, now I understand your problem. I don't have too much Cisco experience, > and didn't know about this strange behaviour. This means, that NAT breaks > the whole thing. Maybe they offer some "workaround" configuration, like > "rewrite ingress traffic with nat table" or so, which you could enable on > the external port? But I think it's a broken design to offer NAT, but not > to meter egress traffic. > > >> I am using Netflow 9. I am going to try to upgrade my IOS and see if that >> helps. >> > > Netflow v9 should offer a a flow key like "postDestinationIPAddress", > which contains the IP address after the NAT-process, then you have both IP > adresses in the flow, but nfacct cannot handle this flow key yet AFAIK. > > > Cheers, > > Sven > > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
