[c-nsp] Netflow and Null0 configurations and performance on 7609

Ahmed Maged ahmed_maged at rayatelecom.net
Mon Apr 11 05:14:08 EDT 2005 

 

 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kim Onnel
Sent: Sunday, April 10, 2005 11:33 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Netflow and Null0 configurations and performance on
7609

 

Hello,

 

On my 7609 with IOS V. 12.2(18)SXD, I have the following

configurations for netflow

 

7600#sh run | in flow

mls flow ip interface-full

no mls flow ipv6

 ip route-cache flow

 ip route-cache flow

 ip route-cache flow

 ip route-cache flow

 ip route-cache flow

ip flow-export source Loopback0

ip flow-export version 5 peer-as

ip flow-export destination x.x.x.x 2055

 

7600#sh run | in mls

mls aging fast time 5 threshold 32

mls aging long 300

mls aging normal 60

mls flow ip interface-full

no mls flow ipv6

mls qos

mls cef error action freeze

 

 

Please correct me if i am wrong :

 

 

sh ip cache flow: gives me the flows that matched an ACL an their port

numbers and prot. in Hex like :

 

Correct

 

PO3/1/0       x.x.164.187   Null       x.X.x.x                06 1108
0087     1

PO4/0/0       x.x.189.191  Null        x.x.x.x                    06
0C09 0087     1

Gi5/1            x.x.229.197 Null         192.168.34.97     06 27B2 01BD
1

 

But because I enabled 'mls flow ip interface-full',  I can see also

the flows that didn't match an ACL like :

 

Gi5/1             x.x.242.32                 3.70.46.112          udp


      20102        6346      1

 1019             x.x.243.1            x.1x9.210.126        tcp
62351 

      4662      259

 1019             x.x.127.191         1x.2x.252.208         tcp
4618     

      16881     5

 1020             x.x.240.4          xx.1x.134.154         tcp
www 

     1354      7

 Gi5/1            x.x.25.77         8x.x.115.231           tcp
1475 

      32656     7

 1020             x.142.231.9               2x.2xx2.232.3         tcp


      5100        1704      11

 

As you can see on the left most column of the result of 'sh ip cache

flow', the interface names are written in letters,

 

 

but on the second results, the names are written in numbers (1020,

1019, 1016...) except for one of the Giga Ethernet interfaces(Gi5/1), it

is still written in letters,

 

My observation is that even if I disabled netflow (ip route-cache

flow) from underneath all interfaces, except for one serial interface,

I still get Gi5/1 in the results, and not the serial one that i want

to look at, is there a known reason for that ?

 

So, why am I getting numbers instead of names ?

 

They are vlan numbers. The ifindexes are filled in based upon this value
when the flow is exported to the collector. To see what vlan is assigned
to an interface look at "sh vlan internal usage"

 

My Netflow analysis tool doesnt report anything, even though i

minimized its screaming thresholds, could this relate to its unability

to read the interfaces numbers correctly,

 

Also, What is the difference between the result of 'sh ip cache flow'

and 'sh mls netflow ip' commands?

 

 

 

On my hand is a case of an increase in the number of pps on one T3

link from average 5-10 Kpps to 20 - 28 Kpps suddenly and it just kept

on 27 Kpps, ranging from 26 to 28 Kpps

 

I had to improvise so what I did was using the *nix command 'script

/tmp/data' on a *nix box, logging to the switch, configured 'term

length 0', and then scrolling 'sh ip cache flow' and then on the

results file I did :

 

awk '{print $2}' /tmp/data | sort | uniq -c | sort -rn | head

 

And I get the IP addresses that reoccurred in the file, and i kept

tracing them, putting ACLs,..

 

What i would like to know, is there any CLI commands that can identify

top talkers, anything beside 'sh ip cahe flow | in K', because it

never gave me any results,

 

 

Are the configurations of Netflow above optimum ? Any other available

useful features that is should turn on ?

 

Another issue is that I have an mrtg graph for Null0, so I can monitor

scans, but there seems to be no hits on the interface, which is

impossible, I can see from my flows some packets going to dark address

space which we have a static for Null0 to.

 

7600#sh run int Null0

 

interface Null0

 no ip unreachables

end

 

Is there any extra configurations needed, or is it an issue with my

7600 and IOS ?

 

I would most definitely wish to see a document/post with most common

netflow configurations, tricks and knobs known to man.

 

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list