[c-nsp] 6500 not exporting layer 2 netflow data

Andy Ellsworth andy at dar.net
Wed Apr 30 12:48:33 EDT 2008 

Tassos Chatzithomaoglou wrote:
> Andy, i recreated your scenario (on a 6509/SUP720-3BXL with SXF8) and 
> i had the same problem with you. Although L2 netflow entries were 
> created fine (~7 Gbps of traffic!), they weren't exported. Only 2 ping 
> flows (locally to the SVI ip address) were exported.
Very nice! Thanks for the troubleshooting.
> I found out that the number of packets and bytes for all flows was 
> always zero and the AdjPtr was always 0x0.
> I don't know if that's normal behavior for L2 traffic or a bug.
I'm guessing the 0 byte flows are a bug that they must have fixed in 
between SXF8 and SXF10, as I don't see that behavior in SXF10 (src/dst 
IP columns omitted):

Prot:SrcPort:DstPort  Src i/f          :AdjPtr      Pkts         
Bytes         Age    LastSeen   Attributes
----------------------------------------------------------------------------------------------------------
udp :3332   :2300     --               :0x0         10516        
630960        218   11:32:02   L2 - Dynamic
tcp :3642   :443      --               :0x0         2077         
144308        202   11:32:07   L2 - Dynamic
udp :2724   :3508     --               :0x0         4477         
268620        90    11:32:10   L2 - Dynamic
tcp :3260   :29781    --               :0x0         2102         
146792        154   11:32:09   L2 - Dynamic
tcp :443    :2379     --               :0x0         241          
16147         66    11:32:09   L2 - Dynamic
tcp :443    :1802     --               :0x0         5            
3772          10    11:32:03   L2 - Dynamic
tcp :8080   :2268     --               :0x0         116          
63579         62    11:31:08   L2 - Dynamic
tcp :1033   :1494     --               :0x0         423          
26667         82    11:32:10   L2 - Dynamic
tcp :1041   :1494     --               :0x0         1022         
66913         154   11:32:09   L2 - Dynamic

Out of curiosity, what is the significance of the AdjPtr value? I've 
never seen a non-zero value in either bridged or routed flows on either 
of my 6500s.
> Then i also found CSCsg47044 (fixed in 12.2(18)SXF9) :
If you believe the bug notes, in theory that should have been fixed by 
SXF10...regardless, in my case, all of the netflow config was done a 
very long time after the SVIs were built and IPs assigned. On a whim, 
though, I removed and reapplied the config in the order they specified 
for one of my VLANs of interest, and I didn't have any luck either.
> I also found out that the wrong failed counter (ICAM instead of TCAM) 
> was increasing:
They must have fixed that by SXF10, too, as my output is a bit different:

Netflow Resources
          TCAM utilization:       Module       Created      Failed       
%Used
                                  5               3947           
0          1%
                                  6               4027           
0          1%
          ICAM utilization:       Module       Created      Failed       
%Used
                                  5                  0           
0          0%
                                  6                  0           
0          0%

> I guess SXF is too buggy on netflow.... I haven't tried SXF13 or SXH 
> though.
Someone dropped me a note off-list saying that export of bridged flows 
worked fine when they had a Sup2 in hybrid mode, but when moving to a 
Sup720 in native mode, only routed flows were exported.

Now I'm wondering if *anyone* has successfully seen bridged flows 
exported from a Sup720, on any IOS version. This seems like the sort of 
problem that could fly under the radar, as I suspect the majority of 
folks with Sup720s are more interested in routed flows than bridged flows.

-Andy

More information about the cisco-nsp mailing list