[c-nsp] Netflow and Null0 configurations and performance on 7609

Kim Onnel karim.adel at gmail.com
Mon Apr 11 05:30:32 EDT 2005 

But now i dont even get numbers, i only get hyphens "- -"

80.29.66.1           196.204.231.75  tcp :18175  :1843     --         
     :0x0    260         156764        41    11:18:49   L3 - Dynamic

Any idea ?
Any known issues for the 7600 and NDE and Netflow ?


On Apr 11, 2005 11:14 AM, Ahmed Maged <ahmed_maged at rayatelecom.net> wrote:
>  
>  
> 
>   
> 
>   
> 
> -----Original Message-----
>  From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kim
> Onnel
>  Sent: Sunday, April 10, 2005 11:33 AM
>  To: cisco-nsp at puck.nether.net
>  Subject: [c-nsp] Netflow and Null0 configurations and performance on 7609 
> 
>   
> 
> Hello, 
> 
>   
> 
> On my 7609 with IOS V. 12.2(18)SXD, I have the following 
> 
> configurations for netflow 
> 
>   
> 
> 7600#sh run | in flow 
> 
> mls flow ip interface-full 
> 
> no mls flow ipv6 
> 
>  ip route-cache flow 
> 
>  ip route-cache flow 
> 
>  ip route-cache flow 
> 
>  ip route-cache flow 
> 
>  ip route-cache flow 
> 
> ip flow-export source Loopback0 
> 
> ip flow-export version 5 peer-as 
> 
> ip flow-export destination x.x.x.x 2055 
> 
>   
> 
> 7600#sh run | in mls 
> 
> mls aging fast time 5 threshold 32 
> 
> mls aging long 300 
> 
> mls aging normal 60 
> 
> mls flow ip interface-full 
> 
> no mls flow ipv6 
> 
> mls qos 
> 
> mls cef error action freeze 
> 
>   
> 
>   
> 
> Please correct me if i am wrong : 
> 
>   
> 
>   
> 
> sh ip cache flow: gives me the flows that matched an ACL an their port 
> 
> numbers and prot. in Hex like : 
> 
>   
> 
> Correct
>  
> 
>   
> 
> PO3/1/0       x.x.164.187   Null       x.X.x.x                06 1108 0087  
>   1 
> 
> PO4/0/0       x.x.189.191  Null        x.x.x.x                    06 0C09
> 0087     1 
> 
> Gi5/1            x.x.229.197 Null         192.168.34.97     06 27B2 01BD    
> 1 
> 
>   
> 
> But because I enabled 'mls flow ip interface-full',  I can see also 
> 
> the flows that didn't match an ACL like : 
> 
>   
> 
> Gi5/1             x.x.242.32                 3.70.46.112          udp      
> 
>       20102        6346      1 
> 
>  1019             x.x.243.1            x.1x9.210.126        tcp        
> 62351 
> 
>       4662      259 
> 
>  1019             x.x.127.191         1x.2x.252.208         tcp         4618
>     
> 
>       16881     5 
> 
>  1020             x.x.240.4          xx.1x.134.154         tcp         www 
> 
>      1354      7 
> 
>  Gi5/1            x.x.25.77         8x.x.115.231           tcp         1475 
> 
>       32656     7 
> 
>  1020             x.142.231.9               2x.2xx2.232.3         tcp     
> 
>       5100        1704      11 
> 
>   
> 
> As you can see on the left most column of the result of 'sh ip cache 
> 
> flow', the interface names are written in letters, 
> 
>   
> 
>   
> 
> but on the second results, the names are written in numbers (1020, 
> 
> 1019, 1016…) except for one of the Giga Ethernet interfaces(Gi5/1), it 
> 
> is still written in letters, 
> 
>   
> 
> My observation is that even if I disabled netflow (ip route-cache 
> 
> flow) from underneath all interfaces, except for one serial interface, 
> 
> I still get Gi5/1 in the results, and not the serial one that i want 
> 
> to look at, is there a known reason for that ? 
> 
>   
> 
> So, why am I getting numbers instead of names ? 
> 
>   
> 
> They are vlan numbers. The ifindexes are filled in based upon this value
> when the flow is exported to the collector. To see what vlan is assigned to
> an interface look at "sh vlan internal usage"
>  
> 
>   
> 
> My Netflow analysis tool doesnt report anything, even though i 
> 
> minimized its screaming thresholds, could this relate to its unability 
> 
> to read the interfaces numbers correctly, 
> 
>   
> 
> Also, What is the difference between the result of 'sh ip cache flow' 
> 
> and 'sh mls netflow ip' commands? 
> 
>   
> 
>   
> 
>   
> 
> On my hand is a case of an increase in the number of pps on one T3 
> 
> link from average 5-10 Kpps to 20 – 28 Kpps suddenly and it just kept 
> 
> on 27 Kpps, ranging from 26 to 28 Kpps 
> 
>   
> 
> I had to improvise so what I did was using the *nix command 'script 
> 
> /tmp/data' on a *nix box, logging to the switch, configured 'term 
> 
> length 0', and then scrolling 'sh ip cache flow' and then on the 
> 
> results file I did : 
> 
>   
> 
> awk '{print $2}' /tmp/data | sort | uniq –c | sort –rn | head 
> 
>   
> 
> And I get the IP addresses that reoccurred in the file, and i kept 
> 
> tracing them, putting ACLs,.. 
> 
>   
> 
> What i would like to know, is there any CLI commands that can identify 
> 
> top talkers, anything beside 'sh ip cahe flow | in K', because it 
> 
> never gave me any results, 
> 
>   
> 
>   
> 
> Are the configurations of Netflow above optimum ? Any other available 
> 
> useful features that is should turn on ? 
> 
>   
> 
> Another issue is that I have an mrtg graph for Null0, so I can monitor 
> 
> scans, but there seems to be no hits on the interface, which is 
> 
> impossible, I can see from my flows some packets going to dark address 
> 
> space which we have a static for Null0 to. 
> 
>   
> 
> 7600#sh run int Null0 
> 
>   
> 
> interface Null0 
> 
>  no ip unreachables 
> 
> end 
> 
>   
> 
> Is there any extra configurations needed, or is it an issue with my 
> 
> 7600 and IOS ? 
> 
>   
> 
> I would most definitely wish to see a document/post with most common 
> 
> netflow configurations, tricks and knobs known to man. 
> 
>   
> 
> _______________________________________________ 
> 
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> 
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list