I am playing with something I don't really understand, so feel free to call me a muppet.
I am trying to set up netflow on 6500's and applied the following config
set mls flow destination-source
set mls bridged-flow-statistics enable 1,3,10-19,31-36,40,50,54,80-81,96-98,101-104,110-113,120,136,
set mls nde <ip_address> 9991
set mls agingtime long-duration 1920
set mls agingtime 256
set mls agingtime ipx 256
set mls nde enable
When I did this I got traffic on my Netflow collector ( Crannog Netflow Tracker), but this didn't include layer 4 port information.
After a bit of reading I changed the flow mask to full-flow with
"set mls flow full"
When I did this the neflow collector showed one export of traffic including layer 4 ports then the export from the 6500 dropped from 600Mbs ish to 40Kbs
I then put the flow back to dest-source and the same thing happened.
Now according to netflow I only have kbs of traffic going through my 6500 which is clearly wrong.
How doo I get layer 4 info out of the 6500??
optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.