[c-nsp] Netflow and Sup720 / 12.2(18)SXE

Gert Doering gert at greenie.muc.de
Thu Jul 28 12:24:42 EDT 2005 

Hi,

ok, here we go - we got our first Sup720 based box today, and I'm 
fighting with MLS netflow export on it.

As far as I can see right now, the Sup720 still has the habit of
exporting flow records for *all* interfaces on the box, not only for
interfaces that carry "ip flow ingress" or "ip route-cache flow".

(That is: I've done an FTP download server->sup720->client, server-facing
interface does NOT have "ip flow ingress", but still I see both sides
of the conversation in the exported v5 flow records).

I have configured:

Cisco-F-VI#sh run | inc mls
mls ip multicast flow-stat-timer 9
mls netflow usage notify 50 600 
mls flow ip full
no mls flow ipv6
mls nde sender version 5
mls nde interface

Cisco-F-VI#sh run | inc flow
ip flow-cache timeout active 10
mls netflow usage notify 50 600 
mls flow ip full
no mls flow ipv6
ip flow-export source Loopback0
ip flow-export version 5 origin-as
ip flow-export destination 193.149.44.233 50016


This could be filtered in the netflow processing software (even if that's
awkward), but to add insult to injury, the router doesn't want to fill 
in the "input" field properly:

Cisco-F-VI#sh mls netflow ip source 10.42.42.40
Displaying Netflow entries in Supervisor Earl
DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f          :AdjPtr
-----------------------------------------------------------------------------
Pkts         Bytes         Age   LastSeen  Attributes
---------------------------------------------------
195.30.0.42     10.42.42.40     tcp :2963   :ftp      --               :0x0         
12           720           27    17:44:29   L3 - Dynamic
195.30.0.42     10.42.42.40     tcp :2971   :53295    --               :0x0         
46804        2433816       15    17:44:29   L3 - Dynamic

and this is how the flows looks like in "nfdump":

Record Netflow Version 5: 
  addr      =     195.30.0.42
  dstaddr   =     10.42.42.40
  nexthop   =     10.42.42.40
  input     =               0
  output    =              15
  dPkts     =          101829
  dOctets   =       152738828
  First     =      1122565457
  Last      =      1122565470
  port      =           53295
  dstport   =            2971
Record Netflow Version 5: 
  addr      =     10.42.42.40
  dstaddr   =     195.30.0.42
  nexthop   =  193.149.44.115
  input     =               0
  output    =               2
  dPkts     =           46804
  dOctets   =         2433816
  First     =      1122565457
  Last      =      1122565470
  port      =            2971
  dstport   =           53295

the ifindex "2" and "15" that are given as output interfaces are fine - 
but the "input = 0" value is no good.

It's not a "nfcapd/nfdump" issue - I've verified this with another tool
(for another download) and the effect is still the same:

195.30.0.42|10.42.42.40|0|15|10.42.42.40|101829|152738828|1551270|1563878|53296|2972|-1|0x00|6|0|0|0|26|24|-1
10.42.42.40|195.30.0.42|0|2|193.149.44.115|46791|2433140|1551270|1563878|2972|53296|-1|0x00|6|0|0|0|24|26|-1

"0|15" and "0|2" are ingress/egress interfaces, and "0" is definitely 
not correct.


So - what am I missing here?

I've tested this against s72033-ps-mz.122-18.SXD5.bin and 
s72033-advipservicesk9_wan-mz.122-18.SXE2.bin (no difference).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list