[c-nsp] Netflow Export Problem
Julio Arruda
jarruda-cnsp at jarruda.com
Sat Feb 2 14:54:24 EST 2008
Gert Doering wrote:
> Hi,
>
> On Fri, Feb 01, 2008 at 10:25:48AM +0200, mihai at duras.ro wrote:
>> ip flow ingress on 2 interfaces (and ip route-cache flow)
>>
>> The problem is that the flows that I receive only contain local traffic
>> (traffic between various IP addresses on the C7600 and remote IPs, no
>> transit traffic).
>
> Flows on the 7600 can come from two different sources - CPU and Hardware/MLS.
>
> CPU switched packets will cause, well "CPU flows", and those respect the
> settings of "ip flow ingress" on the interfaces.
>
> Hardware/MLS switched packets will cause flow records on *all* interfaces,
> and so you see traffic for most of the data flowing through your 7600.
>
> As a workaround, you need to filter by ifindex on the netflow collector.
>
> (To be precise: the above is true up to 12.2(18)SXF. As far as I understand,
> in 12.2(33)SXH and in SR<something>, the MLS flow entries will actually be
> filtered according to the "ip flow ingress" settings on the interfaces, and
> thus you won't see unexpected flows. I have not yet tried either version,
> but have read it in the release notes...).
Really it seems like he is only seeing MSFC flows (the CPU
switched/consumed/generated ones).
I remember seeing something about netflow where the outbound interface
of the netflow being in a VRF, would not work, have you tried to
'source' the netflow from a global routing table interface using routes
FROM the global routing table ?
More information about the cisco-nsp
mailing list