[c-nsp] Netflow config on 6500 720-3B

Andrew Mabe amabe at mcnc.org
Wed Jun 6 11:48:02 EDT 2007


You need to turn on mls nde

You are not getting anything that is routed in hardware until you  
turn on MLS netflow.

Also, poll these, because it's possible to have too much traffic to  
get accurate netflow in a 6500.

Active flows
.1.3.6.1.4.1.9.9.97.1.4.1.1.5

Flow Learn Failures
.1.3.6.1.4.1.9.9.97.1.4.1.1.6

Total Packets being L3 switched by box
.1.3.6.1.4.1.9.9.97.1.4.1.1.1



On Jun 6, 2007, at 10:24 AM, Jeff Fitzwater wrote:

>  New to list...
>
>    Could anyone on this list help with the correct config for NETFLOW
> EXPORT for version 9 on a CISCO 6500 with SUP-720-3B running  
> 12.2.18-SXF.
>
>     We are trying to export the flows to a "QRadar" device but the  
> date
> we are seeing does not come close to what we see with our MRTG  
> data.  I
> understand that flows are not every packet but the flow data does
> contain the count and QRadar can show the flows in bits per second and
> packets per second.  It appears that only routed (RP) flows are pushed
> out, and according to the doc you don't need the MLS configs (SP/PFC)
> for version 9.  We also do not have bridged flows. All data is routed
> except for some monitoring ports.
>     I could use version 5 but 9 has TCP connection info.
>
>
>     I have already discussed this with CISCO, but they never give  
> me the
> same answer twice.  The doc is extremely confusing when it comes to  
> the
> 7203B running 12.2.18SXF version 5 or 9.
>
> Maybe it's working correct and I just don't know it.
>    ----------------------------
>
> This is what I have setup....
>
>
> ip flow-cache timeout inactive 10
> ip flow-cache timeout active 5
>
> Not sure about if the following is needed
> ip flow ingress layer2-switched vlan 268,524-525,3553,4000-4001
>
>
> On all vlan interfaces I have the following...
> ip route-cache flow
>
>
>
> ip flow-export source Loopback2
> ip flow-export version 9
> ip flow-export template options export-stats
> ip flow-export template options timeout-rate 1
> ip flow-export template timeout-rate 1
> ip flow-export destination "host IP" 2055
> ip flow-aggregation cache protocol-port
>  export version 9
>  export template timeout-rate 1
>  export destination "host IP" 2055
>  enabled
>
> ------------------------------------------
>
>
> Thanks for any help.
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list