[c-nsp] Incorrect netflow data from 7600/6500?

[Hughes, Scott GRE/MG]

I had this problem as well, and was able to solve it with the following config:

mls flow ip interface-full


________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of ML [ml at kenweb.org]
Sent: Thursday, June 18, 2009 7:36 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Incorrect netflow data from 7600/6500?

I'm trying to export flows from a 6509 to nfcapd/nfdump.

When I sort by protocol and bytes I see a "protocol 0" as the majority
of the traffic.

Top 20    Protocol ordered by bytes:

Proto   Protocol   Flows  Packets    Bytes
0       0          7.8 M  296.8 M  229.1 G
TCP     6          2.8 M   82.0 M   35.3 G
UDP     17         3.7 M   21.7 M    4.3 G

<truncated for brevity>

I've seen this result from multiple other Netflow tools: ntop, Orion
NetFlow and now nfdump.  The only common element is my hardware.
I've exported flows from a 7606-SUP32 and a 6509SUP720-3B both running
12.2(18)SXF4.  Both emit the mysterious protocol 0 flows.

I think I can make the assumption there isn't a protocol in use that
trumps both UDP and TCP traffic combined.  Have I run into an IOS bug or
did I misconfigure?

Configuarion:
-----------------------------------
mls aging fast time 1 threshold 1
mls aging long 64
mls aging normal 32
mls flow ip interface-destination-source
no mls flow ipv6
mls nde sender version 5
no mls acl tcam share-global
mls nde sender version 5

ip flow-cache timeout inactive 10
ip flow-cache timeout active 1

"Config for interfaces of interest"
  ip flow ingress
  ip route-cache flow

ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination x.x.x.x
------------------------------------

Any help is appreciated.






_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/