[c-nsp] 6500 not exporting layer 2 netflow data

Jeff Fitzwater jfitz at Princeton.EDU
Tue Apr 29 13:33:19 EDT 2008 

Welcome to the NDE mystery club.

NDE is very IOS version dependent, so make sure you read the specific  
doc very carefully.

I believe you need to tell the L2 interface that you are running "vlan- 
based" NDE since you have the L3 vlan configured with the "ip-route- 
cache-flow".
I might note that in later versions of the IOS "ip-route-cache-flow"  
has been replaced by "ip-flow-ingress" and in some versions in the  
middle they support both.

Also since you have multiple L2 interfaces for a single L3 vlan, you  
need the global command " ip flow layer2-switched vlan ###" command.

You will probably want to reduce the netflow cache timers to get the  
flows exported without missing any.

Hope some of this helps but I might have missed something for your IOS.

Jeff Fitzwater
OIT Network Systems
Princeton University

On Apr 29, 2008, at 12:37 PM, Andy Ellsworth wrote:

> Tassos Chatzithomaoglou wrote:
>> If i understand correctly, you're doing netflow for bridged IP  
>> traffic.
> Correct.
>> If yes, do you have a a corresponding VLAN interface with an IP
>> address as the one you're gathering netflow data from?
> I did come across that requirement (and it gave me quite a headache
> until I found it outlined in the docs), but yes - I do have an SVI
> configured, with an IP address, in the VLAN(s) I'm interested in. If I
> didn't have that configured, I don't believe I'd see any corresponding
> layer 2 flows in my "show mls netflow ip" output.
>> Maybe posting your mls/flow config would help a little more.
> Here's the relevant snippets. For the purposes of this discussion, I'm
> mostly interested in traffic on VLAN 201:
>
> mls aging long 300
> mls aging normal 60
> mls flow ip full
> no mls flow ipv6
> mls nde sender
> ip flow ingress layer2-switched vlan 1,18,201,253-254
> ip flow-export source Vlan253
> ip flow-export version 5
> ip flow-export destination 10.100.253.210 30002
> interface Vlan201
> ip address 10.100.201.249 255.255.255.0
> ip route-cache flow
> end
>
> Note that the "ip flow export layer2-switched vlan" command does not
> show up in a "show run" output, since export is implicitly enabled  
> along
> with the "ip flow ingress" command.
>
> -Andy
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list