[c-nsp] Netflow config on 6500 720-3B

Jeff Fitzwater jfitz at Princeton.EDU
Wed Jun 6 12:00:55 EDT 2007 

MLS has no commands to enable version 9.  CISCO states that you do not 
use MLS for version 9.  Does that mean I cannot get hardware switches 
flows for version 9?   Maybe I should use version 5 which is supported 
in MLS.

Jeff Fitzwater
OIT Network Systems
Princeton University


Andrew Mabe wrote:
> You need to turn on mls nde
>
> You are not getting anything that is routed in hardware until you turn 
> on MLS netflow.
>
> Also, poll these, because it's possible to have too much traffic to 
> get accurate netflow in a 6500.
>
> Active flows
> .1.3.6.1.4.1.9.9.97.1.4.1.1.5
>
> Flow Learn Failures
> .1.3.6.1.4.1.9.9.97.1.4.1.1.6
>
> Total Packets being L3 switched by box
> .1.3.6.1.4.1.9.9.97.1.4.1.1.1
>
>
>
> On Jun 6, 2007, at 10:24 AM, Jeff Fitzwater wrote:
>
>>  New to list...
>>
>>    Could anyone on this list help with the correct config for NETFLOW
>> EXPORT for version 9 on a CISCO 6500 with SUP-720-3B running 
>> 12.2.18-SXF.
>>
>>     We are trying to export the flows to a "QRadar" device but the date
>> we are seeing does not come close to what we see with our MRTG data.  I
>> understand that flows are not every packet but the flow data does
>> contain the count and QRadar can show the flows in bits per second and
>> packets per second.  It appears that only routed (RP) flows are pushed
>> out, and according to the doc you don't need the MLS configs (SP/PFC)
>> for version 9.  We also do not have bridged flows. All data is routed
>> except for some monitoring ports.
>>     I could use version 5 but 9 has TCP connection info.
>>
>>
>>     I have already discussed this with CISCO, but they never give me the
>> same answer twice.  The doc is extremely confusing when it comes to the
>> 7203B running 12.2.18SXF version 5 or 9.
>>
>> Maybe it's working correct and I just don't know it.
>>    ----------------------------
>>
>> This is what I have setup....
>>
>>
>> ip flow-cache timeout inactive 10
>> ip flow-cache timeout active 5
>>
>> Not sure about if the following is needed
>> ip flow ingress layer2-switched vlan 268,524-525,3553,4000-4001
>>
>>
>> On all vlan interfaces I have the following...
>> ip route-cache flow
>>
>>
>>
>> ip flow-export source Loopback2
>> ip flow-export version 9
>> ip flow-export template options export-stats
>> ip flow-export template options timeout-rate 1
>> ip flow-export template timeout-rate 1
>> ip flow-export destination "host IP" 2055
>> ip flow-aggregation cache protocol-port
>>  export version 9
>>  export template timeout-rate 1
>>  export destination "host IP" 2055
>>  enabled
>>
>> ------------------------------------------
>>
>>
>> Thanks for any help.
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list