Netflow - Duplicate Packets or Flows

I have Netflow enabled on my Cat 6509. I am using a 3rd party Netflow collector. I am exporting the flows from my VLAN's. When I examine the traffic in my collector, the flows appear to be twice what they are in reality. For example, if I copy a 100 MB file from one server to another over Windows file sharing, the flow colllector reports that the transfer was 200 MB. The collector has the ability to display incoming and outgoing traffic separately, so I don't think this is an issue of duplex traffic being displayed.

I called Cisco, and the engineer said this is expected when exporting flows from a VLAN -- that the flows will be exported as the traffic enters then leaves the VLAN. He said that this known behavior, and there is no way around it using Layer2. He said it is up to the Netflow collector to handle the de-duplication.

When I call the Netflow collector vendor, they say there is a configuration issue with the 6509.

IOS Native mode -- 12.2(18)SXF13

Here's my config entries

ip flow ingress layer2-switched vlan 1,11-13,110 mls aging fast time 8 threshold 127 mls aging normal 32 mls flow ip full mls flow ipx destination mls nde sender version 5 no mls acl tcam share-global

interface Vlan11 no ip address ip route-cache flow ! interface Vlan12 no ip address ip route-cache flow ! interface Vlan13 no ip address ip route-cache flow

ip flow-export destination x.x.x.x 2055

I wonder if anyone lese out there has experienced the same problem. If so, were you able to find a work around?

Any help is appreciated.

Reply to
Loading thread data ...

is this the case for both TCP and UDP traffic? what are the results of doing an IPERF test?


Reply to

If I do an iperf test using TCP, the total amount trasnferred is 100 MBytes. My collector shows 200 MBytes. Data rate in iperf is @ 95 mbits per sec. My collector shows almost 200 mbits per sec.

If I do the same test with iperf using UDP, the total amount tranferred is 1.25 MBytes. My collector shows @ 2.5 MBytes. Data rate in iperf is @ 1 mbit per sec. It's hard to narrow this down in my collector because of other traffic obscurring my test.

It looks like my collector is registering 2X the traffic whether it is UDP or TCP.

Reply to
sillz Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.