[c-nsp] Netflow and Null0 configurations and performance on 7609

[Kim Onnel]

Hello,

On my 7609 with IOS V. 12.2(18)SXD, I have the following
configurations for netflow

7600#sh run | in flow
mls flow ip interface-full
no mls flow ipv6
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination x.x.x.x 2055

7600#sh run | in mls
mls aging fast time 5 threshold 32
mls aging long 300
mls aging normal 60
mls flow ip interface-full
no mls flow ipv6
mls qos
mls cef error action freeze


Please correct me if i am wrong :

sh ip cache flow: gives me the flows that matched an ACL an their port
numbers and prot. in Hex like :

PO3/1/0       x.x.164.187   Null       x.X.x.x 			  06 1108 0087     1
PO4/0/0       x.x.189.191  Null        x.x.x.x  			06 0C09 0087     1
Gi5/1            x.x.229.197 Null         192.168.34.97   	06 27B2 01BD     1

But because I enabled 'mls flow ip interface-full',  I can see also
the flows that didn't match an ACL like :

Gi5/1             x.x.242.32          	   3.70.46.112      	udp     
	20102    	 6346      1
 1019             x.x.243.1     	   x.1x9.210.126    	tcp      	62351 
   	4662      259
 1019             x.x.127.191 	  1x.2x.252.208   	tcp      	4618     
	16881     5
 1020             x.x.240.4        	  xx.1x.134.154    	tcp      	www 
     	1354      7
 Gi5/1            x.x.25.77        	 8x.x.115.231      	tcp     	1475 
    	32656     7
 1020             x.142.231.9        	  2x.2xx2.232.3     	tcp     
	5100      	1704      11

As you can see on the left most column of the result of 'sh ip cache
flow', the interface names are written in letters,

but on the second results, the names are written in numbers (1020,
1019, 1016…) except for one of the Giga Ethernet interfaces(Gi5/1), it
is still written in letters,

My observation is that even if I disabled netflow (ip route-cache
flow) from underneath all interfaces, except for one serial interface,
I still get Gi5/1 in the results, and not the serial one that i want
to look at, is there a known reason for that ?

So, why am I getting numbers instead of names ?

My Netflow analysis tool doesnt report anything, even though i
minimized its screaming thresholds, could this relate to its unability
to read the interfaces numbers correctly,

Also, What is the difference between the result of 'sh ip cache flow'
and 'sh mls netflow ip' commands?

On my hand is a case of an increase in the number of pps on one T3
link from average 5-10 Kpps to 20 – 28 Kpps suddenly and it just kept
on 27 Kpps, ranging from 26 to 28 Kpps

I had to improvise so what I did was using the *nix command 'script
/tmp/data' on a *nix box, logging to the switch, configured 'term
length 0', and then scrolling 'sh ip cache flow' and then on the
results file I did :

awk '{print $2}' /tmp/data | sort | uniq –c | sort –rn | head

And I get the IP addresses that reoccurred in the file, and i kept
tracing them, putting ACLs,..

What i would like to know, is there any CLI commands that can identify
top talkers, anything beside 'sh ip cahe flow | in K', because it
never gave me any results,


Are the configurations of Netflow above optimum ? Any other available
useful features that is should turn on ?

Another issue is that I have an mrtg graph for Null0, so I can monitor
scans, but there seems to be no hits on the interface, which is
impossible, I can see from my flows some packets going to dark address
space which we have a static for Null0 to.

7600#sh run int Null0

interface Null0
 no ip unreachables
end

Is there any extra configurations needed, or is it an issue with my
7600 and IOS ?

I would most definitely wish to see a document/post with most common
netflow configurations, tricks and knobs known to man.