Netflow on 6500 switch

Answered Question
Feb 27th, 2007

Hi,

I am playing with something I don't really understand, so feel free to call me a muppet.

I am trying to set up netflow on 6500's and applied the following config

set mls flow destination-source

set mls bridged-flow-statistics enable 1,3,10-19,31-36,40,50,54,80-81,96-98,101-104,110-113,120,136,

139,142,144,149-159,201-211,401-402,700,800,810-814,850,900-952,999

set mls nde <ip_address> 9991

set mls agingtime long-duration 1920

set mls agingtime 256

set mls agingtime ipx 256

set mls nde enable

When I did this I got traffic on my Netflow collector ( Crannog Netflow Tracker), but this didn't include layer 4 port information.

After a bit of reading I changed the flow mask to full-flow with

"set mls flow full"

When I did this the neflow collector showed one export of traffic including layer 4 ports then the export from the 6500 dropped from 600Mbs ish to 40Kbs

I then put the flow back to dest-source and the same thing happened.

Now according to netflow I only have kbs of traffic going through my 6500 which is clearly wrong.

How doo I get layer 4 info out of the 6500??

I have this problem too.
0 votes
Correct Answer by Jan Nejman about 9 years 7 months ago

Hello,

optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.

Regards,

Jan Nejman

Caligare Co.

http://www.caligare.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
e-dennington Tue, 02/27/2007 - 06:53

You need to place the commnad "ip route-cache flow" on the L3 interfaces you want netflow statistics collected from.

Jan Nejman Tue, 02/27/2007 - 07:45

Try 'show mls nde' and 'show mls debug'

commands to see how many netflow packets are exported. It is recommended also set netflow export on MSFC card (http://netflow.caligare.com/configuration_ios.htm) to export the first packet of the flow. Ensure that you have synchronized time between collector and your device (best choice is configure NTP). If you enable export from bridged vlans the many netflow exports will be sent to the collector. Check on your server that all packets are received (and not dropped due to overloaded server). In your case it can be over 1000 netflow packets/s!

Have a nice day,

Jan Nejman

Caligare Co.

http://www.caligare.com

chrisayres Tue, 02/27/2007 - 07:55

I have figured out that my problem is to do with the aging time of the flows, specifically the long agingtime. If I reduce this from 1920 secs that the flows get sent to the netflow collector more reqularly.

What is the optimum setting for this ??

Correct Answer
Jan Nejman Tue, 02/27/2007 - 08:04

Hello,

optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.

Regards,

Jan Nejman

Caligare Co.

http://www.caligare.com

Actions

This Discussion