NetFlow Cat 6506-E

kurenyshev · ‎03-22-2007

I read lots of articles and manuals, but I can't make netflow work correctly.

I read conversation about NetFlow http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddd9eb4

and I asked some things but I didn't received questions, because I created this Conversation.

I confused.

I have got a Cat 6506-E SUP 32.

It contains a lot of Vlan interfaces on Layer 3. Every vlan interface has got an ip address.

Netflow collector - NFA 5.5, which works correctly with routers 28,38 series.

I need in information L3 traffic.

Netflow configuration:

ip flow-cache timeout active 1

mls ip multicast flow-stat-timer 9

mls aging long 300

mls aging normal 120

mls flow ip interface-destination-source

no mls flow ipv6

mls nde sender

mls sampling time-based 64

no mls acl tcam share-global

mls cef error action freeze

...

ip flow-export source Vlan10 (vlan 10 - core vlan of my network, it contains servers and network devices)

ip flow-export version 9

ip flow-export destination x.x.x.x 9996

and every Vlan interface has following lines:

ip flow ingress

mls netflow sampling

And when I try to enter

#mls flow ip full

or

#mls flow ip interface-full

I receive:

% Unable to configure flow mask for ip protocol: interface-full. Reset to the default flow mask type: none

kurenyshev · ‎03-25-2007

I don't believe that nobody knows the answer.

Please, help me, save my soul !

response3 · ‎04-02-2007

Call TAC.

kurenyshev · ‎04-02-2007

I'm sorry, I'm new to Cisco.

What is it TAC ?

peter.nowack · ‎04-03-2007

It is Cisco technical support center... My recommendation is contact Crannog and require what is wrong on your configuration. I'm curious what they answer ;o) We are using similar cisco configuration, but we haven't any problem with it. (Only one problem: on the Sup720 are not exported TCP flags in the netflow ;o( ), but we are using another analyzing software...

avmabe · ‎04-03-2007

Ok... Here are some things I notice...

Change this:

mls flow ip interface-destination-source

to this:

mls flow ip interface-full

Also, get rid of the mls sampling... it only samples out of the table and not the actual traffic going into the table.

Also... you have a sup 32 and not a sup720? If so, that is going to be something that may be a problem for you getting accurate traffic from netflow.

Try all that and see what you get.

kurenyshev · ‎04-03-2007

My Cat doesn't accept following:

mls flow ip interface-full

It replies^

% Unable to configure flow mask for ip protocol: full. Reset to the default flow mask type: none

But I remember that once time I managed to enter this string.

Yeah. I have Sup 32. My current config I got from colleage, who uses Sup 720.

Sapmling means that One of set packets will be switch to NetFlow collector?

Jan Nejman · ‎04-03-2007

You will not be able to change the flowmask after you configure NAT. You might be hitting the bug CSCsb41562.

PS.: I don't think that netflow statement is required on all interfaces. It is required on L3 interfaces. You can use 'show ip interface brief' to see all interfaces with assigned IP address. Put netflow statement on these interfaces only. I agree that mls sampling may cause some problems with your collector...

Bye

Jan

kurenyshev · ‎04-04-2007

I have netflow statement only on all VLAN interfaces L3. I'll try to remove "mls sampling" from some interfaces and compare results with current ones.

kurenyshev · ‎04-05-2007

I found out that I already have got a patched IOS. It's version is Version 12.2(18)SXF6, RELEASE SOFTWARE (fc1). But the bug presents.

I remove all nat from configuartion and I managed to enter:

mls ip flow interface-full