[c-nsp] Netflow config on 6500 720-3B
Ian Cox
icox at cisco.com
Thu Jun 7 13:26:41 EDT 2007
At 12:00 PM 6/6/2007 -0400, Jeff Fitzwater wrote:
>MLS has no commands to enable version 9. CISCO states that you do not
>use MLS for version 9. Does that mean I cannot get hardware switches
>flows for version 9? Maybe I should use version 5 which is supported
>in MLS.
Enable version 5 for mls nde, then it will export the hardware flows
in version in v9 format. For v9 with SXF, the template that will get
used to export the hardware switched traffic will be based upon the
flow mls flow mask set.
bourke#sh mls nde
Netflow Data Export is Disabled
Netflow Aggregation Disabled
bourke(config)#mls nde sender version 5
bourke(config)#end
bourke#sh mls nde
Netflow Data Export enabled
Exporting flows to 10.1.1.253 (9999)
Exporting flows from 10.1.1.86 (57675)
Version: 9
Include Filter not configured
Exclude Filter not configured
Total Netflow Data Export Packets are:
0 packets, 0 no packets, 0 records
Total Netflow Data Export Send Errors:
IPWRITE_NO_FIB = 0
IPWRITE_ADJ_FAILED = 0
IPWRITE_PROCESS = 0
IPWRITE_ENQUEUE_FAILED = 0
IPWRITE_IPC_FAILED = 0
IPWRITE_OUTPUT_FAILED = 0
IPWRITE_MTU_FAILED = 0
IPWRITE_ENCAPFIX_FAILED = 0
Netflow Aggregation Disabled
bourke#
Ian
>Jeff Fitzwater
>OIT Network Systems
>Princeton University
>
>
>Andrew Mabe wrote:
> > You need to turn on mls nde
> >
> > You are not getting anything that is routed in hardware until you turn
> > on MLS netflow.
> >
> > Also, poll these, because it's possible to have too much traffic to
> > get accurate netflow in a 6500.
> >
> > Active flows
> > .1.3.6.1.4.1.9.9.97.1.4.1.1.5
> >
> > Flow Learn Failures
> > .1.3.6.1.4.1.9.9.97.1.4.1.1.6
> >
> > Total Packets being L3 switched by box
> > .1.3.6.1.4.1.9.9.97.1.4.1.1.1
> >
> >
> >
> > On Jun 6, 2007, at 10:24 AM, Jeff Fitzwater wrote:
> >
> >> New to list...
> >>
> >> Could anyone on this list help with the correct config for NETFLOW
> >> EXPORT for version 9 on a CISCO 6500 with SUP-720-3B running
> >> 12.2.18-SXF.
> >>
> >> We are trying to export the flows to a "QRadar" device but the date
> >> we are seeing does not come close to what we see with our MRTG data. I
> >> understand that flows are not every packet but the flow data does
> >> contain the count and QRadar can show the flows in bits per second and
> >> packets per second. It appears that only routed (RP) flows are pushed
> >> out, and according to the doc you don't need the MLS configs (SP/PFC)
> >> for version 9. We also do not have bridged flows. All data is routed
> >> except for some monitoring ports.
> >> I could use version 5 but 9 has TCP connection info.
> >>
> >>
> >> I have already discussed this with CISCO, but they never give me the
> >> same answer twice. The doc is extremely confusing when it comes to the
> >> 7203B running 12.2.18SXF version 5 or 9.
> >>
> >> Maybe it's working correct and I just don't know it.
> >> ----------------------------
> >>
> >> This is what I have setup....
> >>
> >>
> >> ip flow-cache timeout inactive 10
> >> ip flow-cache timeout active 5
> >>
> >> Not sure about if the following is needed
> >> ip flow ingress layer2-switched vlan 268,524-525,3553,4000-4001
> >>
> >>
> >> On all vlan interfaces I have the following...
> >> ip route-cache flow
> >>
> >>
> >>
> >> ip flow-export source Loopback2
> >> ip flow-export version 9
> >> ip flow-export template options export-stats
> >> ip flow-export template options timeout-rate 1
> >> ip flow-export template timeout-rate 1
> >> ip flow-export destination "host IP" 2055
> >> ip flow-aggregation cache protocol-port
> >> export version 9
> >> export template timeout-rate 1
> >> export destination "host IP" 2055
> >> enabled
> >>
> >> ------------------------------------------
> >>
> >>
> >> Thanks for any help.
> >>
> >>
> >> Jeff Fitzwater
> >> OIT Network Systems
> >> Princeton University
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list