[c-nsp] Netflow config on 6500 720-3B

Wed Jun 6 10:24:41 EDT 2007

 New to list...

   Could anyone on this list help with the correct config for NETFLOW 
EXPORT for version 9 on a CISCO 6500 with SUP-720-3B running 12.2.18-SXF.  

    We are trying to export the flows to a "QRadar" device but the date 
we are seeing does not come close to what we see with our MRTG data.  I 
understand that flows are not every packet but the flow data does 
contain the count and QRadar can show the flows in bits per second and 
packets per second.  It appears that only routed (RP) flows are pushed 
out, and according to the doc you don't need the MLS configs (SP/PFC) 
for version 9.  We also do not have bridged flows. All data is routed 
except for some monitoring ports.
    I could use version 5 but 9 has TCP connection info.

    I have already discussed this with CISCO, but they never give me the 
same answer twice.  The doc is extremely confusing when it comes to the 
7203B running 12.2.18SXF version 5 or 9.

Maybe it's working correct and I just don't know it.
   ----------------------------

This is what I have setup....

ip flow-cache timeout inactive 10
ip flow-cache timeout active 5

Not sure about if the following is needed
ip flow ingress layer2-switched vlan 268,524-525,3553,4000-4001

On all vlan interfaces I have the following...
ip route-cache flow

ip flow-export source Loopback2
ip flow-export version 9
ip flow-export template options export-stats
ip flow-export template options timeout-rate 1
ip flow-export template timeout-rate 1
ip flow-export destination "host IP" 2055
ip flow-aggregation cache protocol-port
 export version 9
 export template timeout-rate 1
 export destination "host IP" 2055
 enabled  

------------------------------------------

Thanks for any help.

Jeff Fitzwater
OIT Network Systems
Princeton University