Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
4
Replies

Netflow on 6500 switch

Go to solution
chrisayres
Level 1
Level 1

‎02-27-2007 03:03 AM - edited ‎03-05-2019 02:35 PM

Hi,

I am playing with something I don't really understand, so feel free to call me a muppet.

I am trying to set up netflow on 6500's and applied the following config

set mls flow destination-source

set mls bridged-flow-statistics enable 1,3,10-19,31-36,40,50,54,80-81,96-98,101-104,110-113,120,136,

139,142,144,149-159,201-211,401-402,700,800,810-814,850,900-952,999

set mls nde <ip_address> 9991

set mls agingtime long-duration 1920

set mls agingtime 256

set mls agingtime ipx 256

set mls nde enable

When I did this I got traffic on my Netflow collector ( Crannog Netflow Tracker), but this didn't include layer 4 port information.

After a bit of reading I changed the flow mask to full-flow with

"set mls flow full"

When I did this the neflow collector showed one export of traffic including layer 4 ports then the export from the 6500 dropped from 600Mbs ish to 40Kbs

I then put the flow back to dest-source and the same thing happened.

Now according to netflow I only have kbs of traffic going through my 6500 which is clearly wrong.

How doo I get layer 4 info out of the 6500??

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jan Nejman
Level 3
Level 3
In response to chrisayres

‎02-27-2007 08:04 AM

Hello,

optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.

Regards,

Jan Nejman

Caligare Co.

http://www.caligare.com

View solution in original post

0 Helpful
4 Replies 4

Go to solution
e-dennington
Level 1
Level 1

‎02-27-2007 06:53 AM

You need to place the commnad "ip route-cache flow" on the L3 interfaces you want netflow statistics collected from.

0 Helpful

Go to solution
Jan Nejman
Level 3
Level 3

‎02-27-2007 07:45 AM

Try 'show mls nde' and 'show mls debug'

commands to see how many netflow packets are exported. It is recommended also set netflow export on MSFC card (http://netflow.caligare.com/configuration_ios.htm) to export the first packet of the flow. Ensure that you have synchronized time between collector and your device (best choice is configure NTP). If you enable export from bridged vlans the many netflow exports will be sent to the collector. Check on your server that all packets are received (and not dropped due to overloaded server). In your case it can be over 1000 netflow packets/s!

Have a nice day,

Jan Nejman

Caligare Co.

http://www.caligare.com

0 Helpful

Go to solution
chrisayres
Level 1
Level 1
In response to Jan Nejman

‎02-27-2007 07:55 AM

I have figured out that my problem is to do with the aging time of the flows, specifically the long agingtime. If I reduce this from 1920 secs that the flows get sent to the netflow collector more reqularly.

What is the optimum setting for this ??

0 Helpful

Go to solution
Jan Nejman
Level 3
Level 3
In response to chrisayres

‎02-27-2007 08:04 AM

Hello,

optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.

Regards,

Jan Nejman

Caligare Co.

http://www.caligare.com

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card