1. Home
  2. Cisco Systems
  3. Weird Netflow problem...

Weird Netflow problem...

I've been doing netflow reporting on my 7206 for awhile now. Since my IOS doesn't support egress, I enable "ip route-cache flow" on all the interfaces (the BGP uplinks, and links that go downstream to equipment). On the 7206 I am running IOS 12.0(28d).

I am replacing the 7206 with a 6509 with Sup2 engines. The 6509 is currently running 12.2(18)SXD7b.

I proceeded to config netflow the way I did on the 7206:

"ip route-cache flow" on all active interfaces, and:

ip flow-export destination X.X.X.X 8787 ip flow-export version 5 origin-as

for the export. Destination host is FreeBSD box running flow-tools.

So here the problem. I am only seeing flow data for one interface, mainly my uplink:

# sh ip cache flow

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa7/1 204.8.21.1 Local 65.47.112.162 01 0000

0800 2 Fa7/1 196.207.40.238 Null 208.82.128.136 06 E99A 0017 2 Fa7/1 190.37.26.9 Null 208.82.130.2 11 F527 52D0 1 Fa7/1 96.230.64.193 Null 208.82.130.159 06 0ED7 361A 1 Fa7/1 212.52.154.98 Null 208.82.130.195 11 0A81 0035 2 Fa7/1 218.98.194.2 Null 208.82.131.86 11 0F75 059A 1 Fa7/1 218.64.237.219 Null 208.82.130.251 11 0637 059A 1

and thats it. No data for any of the the other interfaces like Fa7/2, Fa7/3 and so on. On these other interfaces are definitely live and pumping data.

Any ideas? Is it an IOS bug, or am I configuring the wrong way?

Thanks. john

Reply to
essenz
Loading thread data ...

You don't configure it that way on a 6500. To configure netflow on the 6500 you need to configure "mls flow ip " The flow route-cache option doesn't capture CEF switched flows on the 6500 because they are switched by the MSFC card, so take those statements out.

Reply to
Thrill5

Ok, I read up on the mls stuff, and I have added those configs.

But are you saying I should still remove all the ip route-cache flow entries from all my interfaces?

This is what my current config looks like now:

mls aging fast time 64 mls aging long 64 mls aging normal 64 mls flow ip full mls nde sender version 5 mls sampling time-based 64 ! interface FastEthernet7/1 description BGP Uplink ip address X.X.X.X 255.255.255.252 ip route-cache flow no ip mroute-cache ! interface FastEthernet7/2 description Server ip address X.X.X.X 255.255.255.0 ip route-cache flow no ip mroute-cache ! ip flow-export version 5 origin-as ip flow-export destination X.X.X.X 8787

Reply to
essenz

Yes, you don't need them because the flows will be captured by the mls flows. The "ip route-cache flow" entries will not have all the information you need and will be duplicates of flows already captured via the mls flows.

Reply to
Thrill5

That's not completely true. It's better to have both definitions in the config. Let me explain:

How MLS (Multi Layer Switching) and CEF works? First packet in the flow gets through Layer3 to find our a routing path. They Routing engine sends this information to Switching engine, and all remaining packets in the flow got switched instead of been routed. So, if you have the only "ip route-cache flow" statement, you will see the only "first packets", and if you have the only "mls flow", you will se the only "continuation traffic". So, it's better to have both.

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

Reply to
headsetadapter.com

You are describing "fast switching", the predecessor to CEF. With CEF, all packets are hardware routed including the first packet. Fast switching built the FIB (forwarding information base) from the flows going through the router just as you describe. CEF builds the FIB from the routing table, so all packets are hardware routed including the first one.

Reply to
Thrill5

Actually, what Mike described is "Netflow switching", which was the basis of earlier versions of MLS, such as the MLS used on the Catalyst

6000/65000 Sup-1.

Fast switching is similar, but the cache is keyed on destination address, rather than on what one typically would call "flows". Although with MLS, it may have been possible to set the flow mask to "destination-only", so that Netflow switching would indeed devolve to fast switching.

Newer MLS implementations such as those on the Sup-2/PFC-2 and PFC-3 (Sup32, Sup720, RSP720) usually use (a TCAM-based implementation of) CEF for the forwarding decision, although in some cases (NAT, [IPv6] multicast?) they can do flow-based forwarding too.

Reply to
Simon Leinen

PFC 3 / DFC3 has dedicated hardware for collecting netflow stats, based on a parallel set of TCAM to that used for routing.

i think the same happens on PFC2

only software switched flows have netflow collected by the MSFC

formatting link

Reply to
stephen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.