[c-nsp] Netflow config on 6500 720-3B

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 6 12:42:13 EDT 2007 

On Wed, 2007-06-06 at 10:24 -0400, Jeff Fitzwater wrote:
> New to list...
> 
>    Could anyone on this list help with the correct config for NETFLOW 
> EXPORT for version 9 on a CISCO 6500 with SUP-720-3B running 12.2.18-SXF.  
> 
>     We are trying to export the flows to a "QRadar" device but the date 
> we are seeing does not come close to what we see with our MRTG data.  I 
> understand that flows are not every packet but the flow data does 
> contain the count and QRadar can show the flows in bits per second and 
> packets per second.  It appears that only routed (RP) flows are pushed 
> out, and according to the doc you don't need the MLS configs (SP/PFC) 

You need:

mls nde sender


> for version 9.  We also do not have bridged flows. All data is routed 
> except for some monitoring ports.
>     I could use version 5 but 9 has TCP connection info.
> 
> 
>     I have already discussed this with CISCO, but they never give me the 
> same answer twice.  The doc is extremely confusing when it comes to the 
> 7203B running 12.2.18SXF version 5 or 9.
> 
> Maybe it's working correct and I just don't know it.
>    ----------------------------
> 
> This is what I have setup....
> 
> 
> ip flow-cache timeout inactive 10
> ip flow-cache timeout active 5
> 
> Not sure about if the following is needed
> ip flow ingress layer2-switched vlan 268,524-525,3553,4000-4001
> 
> 
> On all vlan interfaces I have the following...
> ip route-cache flow

You don't need that. You need:

ip flow ingress

...on each VLAN interface.

> 
> 
> 
> ip flow-export source Loopback2
> ip flow-export version 9
> ip flow-export template options export-stats
> ip flow-export template options timeout-rate 1
> ip flow-export template timeout-rate 1
> ip flow-export destination "host IP" 2055
> ip flow-aggregation cache protocol-port
>  export version 9
>  export template timeout-rate 1
>  export destination "host IP" 2055
>  enabled  
> 
> ------------------------------------------
> 
> 
> Thanks for any help.
> 
> 
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list