[nsp] Netflow on E3 LC

Dmitri Bouianovski dbouiano at cisco.com
Thu Aug 14 01:11:46 EDT 2003 

>as far as I understand, newer engines with higher bandwidth can't do
>netflow per packet at those rates so the sampling mode was introduced
>read this one:
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s11/12s_sanf.htm
>

Actually E3 LCs support both raw (v5) NF in sampled mode and
aggregated (v8) NF in full (non-sampled) mode.

Configuration of an aggregated NF scheme in full (non-sampled) mode
on an E3 LC is the same as on any other platform. One just should
increase the number of entries in the aggregation cache to at least
64K-128K or to a bigger number depending on the aggregation scheme
and traffic to optimize the feature performance. Here is an example.

conf t
  int pos 3/0
    ip route-cache flow
  exit
  ip flow-aggregation cache source-prefix
    cache entries 128000
    export destination 6.1.1.3 3000
    enabled
  exit
  ip flow-export version 5 origin-as


Here is a NetFlow feature matrix for c12000 ISE (engine 3) LCs.

--------------------------------+---------------------+----------------------
                                | Raw NetFlow (1)     |  Aggregated NetFlow (2)
--------------------------------+---------------------+----------------------
Accounted Traffic               | IPv4, MPLS          |  IPv4
--------------------------------+---------------------+----------------------
Export Format                   | v5, v9 (3)          |  v8, v9 (4)
--------------------------------+---------------------+----------------------
E3 support in full mode   (6)   | No                  |  Yes (5)
--------------------------------+---------------------+----------------------
E3 support in sampled mode (7)  | Yes                 |  Yes
--------------------------------+---------------------+----------------------

(1) An IPv4 raw flow is defined as a unidirectional set of IPv4 packets
that arrive to a router on the same sub-interface with a unique set
of the following key fields: source and destination IP addresses,
transport layer protocol, source and destination application
(TCP/UDP) port numbers and IP Type of Service (ToS).

(1) An MPLS raw flow is defined as a unidirectional set of MPLS
packets that arrive to a router on the same sub-interface with a
unique set of the following key fields: up to 3 MPLS labels of
interest, corresponding EXP and EOS bits, all key fields of an IPv4
flow if there is an IPv4 packet under the MPLS label stack.

(2) There are a number of aggregation schemes: AS, Protocol-Port,
Source-Prefix, Destination-Prefix, Prefix, AS-TOS, Source-Prefix-TOS,
Destination-Prefix-TOS, Prefix-TOS, Prefix-Port, BGP-Next-Hop-TOS.
Each of them defines an aggregated flow that groups together IPv4 raw
flows with a particular set of common fields. For example, AS
aggregation scheme groups together raw flows which have the same
source and destination BGP AS's and source and destination
interfaces, ignoring all other fields.

(3) IPv4 flows can be exported either in v5 or v9 format but MPLS
flows in v9 format only.

(4) BGP Next Hop TOS aggregation scheme flows can be exported in v9
format only.

(5) BGP Next Hop TOS aggregation scheme is not supported by E3 in
full (non-sampled) mode. It's supported by E3 in Sampled mode only.

(6) Full mode means that NetFlow accounting is performed for *every*
packet arriving to a NetFlow enabled interface.

(7) Sampled mode means that NetFlow accounting is performed for one
out of N sequential packets arriving to a NetFlow enabled interface,
where N is a user configurable parameter.

Dmitri


> > -----Original Message-----
> > From: Majid Siddiq [mailto:majid at pie.net.pk]
> > Sent: Tuesday, August 12, 2003 14:18
> > To: Yuval Ben-Ari; cisco-nsp at puck.nether.net
> > Subject: Re: [nsp] Netflow on E3 LC
> >
> >
> > Yes, missed out that one. "show ip flow sampling" did the
> > trick. Sampled
> > flow is working now.
> >
> > But what about the normal netflow; can't we enable normal
> > netflow on Engine
> > 3 cards.
> >
> > regards
> > majid
> >
> > ----- Original Message -----
> > From: "Yuval Ben-Ari" <yuvalba at netvision.net.il>
> > To: "Majid Siddiq" <majid at pie.net.pk>; <cisco-nsp at puck.nether.net>
> > Sent: Tuesday, August 12, 2003 5:53 PM
> > Subject: RE: [nsp] Netflow on E3 LC
> >
> >
> > you need to globally enable flow-sampling with "ip flow-sampling-mode
> > packet-interval X"
> > you can verify with "show ip flow sampling"
> > I know it is explained somewhere on the CCO
> >
> > > -----Original Message-----
> > > From: Majid Siddiq [mailto:majid at pie.net.pk]
> > > Sent: Tuesday, August 12, 2003 8:59 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [nsp] Netflow on E3 LC
> > >
> > >
> > > Hi,
> > >
> > > I am unable to get any data when I enabled netflow on POS
> > > interfaces of ISE
> > > card on 12410. IOS is 12.0.25S1.
> > >
> > > Same result with 'sampled' option and 'direction'.
> > >
> > > Any clue of what's going on ?  i have not searched the bug
> > > toolkit and have
> > > not found any relevant bug.
> > >
> > > IP packet size distribution (0 total packets):
> > >    1-32   64   96  128  160  192  224  256  288  320  352
> > > 384  416  448
> > > 480
> > >    .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
> > > .000 .000 .000
> > > .000
> > >
> > >     512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
> > >    .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
> > >
> > > IP Flow Switching Cache, 69636 bytes
> > >   0 active, 1024 inactive, 0 added
> > >   0 ager polls, 0 flow alloc failures
> > >   Active flows timeout in 30 minutes
> > >   Inactive flows timeout in 15 seconds
> > >   last clearing of statistics 17:51:39
> > > Protocol         Total    Flows   Packets Bytes  Packets Active(Sec)
> > > Idle(Sec)
> > > --------         Flows     /Sec     /Flow  /Pkt     /Sec
> > > /Flow     /Flow
> > >
> > > Actual flows can be seen on line cards only
> > >         Do "attach <slot>" and re-enter the show command
> > >
> > > regards
> > > majid
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list