We have recently got Netflow Tracker, one problem that we have having is FE ports on our 6500 are regularly showing inbound utilisations above 100 (sometimes 300 - 400%)
Crannog / Fluke (Netflow Tracker) have had a look and say the problem is because our cats are send flows of more than 100%.
Below is the netflow config from one of our 6500 (switch and MSFC) can anyone see a problem with this
(enable) sho conf | i mls
set mls flow full
set mls bridged-flow-statistics enable 1,3,10-19,31-36,40,50,54,80-81,96-98,101-104,110-113,120,136,
set mls nde x.x.x.x 9991
set mls agingtime long-duration 64
set mls agingtime 32
set mls agingtime ipx 32
set mls nde enable
(enable) sess 15
Connected to Router-15.
#sho run | i flow
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
ip route-cache flow (on all VLAN ints)
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination x.x.x.x 9991
I would trust what you have now... Try to match it up to interface traffic if possible. Ignore the vlans when you talk of MLS... from the switching perspective, all the traffic that is routed by the FIB TCAM is captured and there is no need to even concern yourself with "vlans".
Keep in mind there are two types of netflow on a 6500 and a 7600.... The "switch" netflow traffic and the "router" traffic. The vast majority of traffic is going to be "switched" even if you think it would be routed b/c the routing paths are in hardware. How many IPV4 routes you can handle depends on your SUP version.
If traffic is coming into the switch, no matter what vlan it enters or exits, you are seeing that traffic from mls nde. I suspect before you were counting flows on the hardware level multiple times.
I can talk more about this if you would like, but I think you are good now.
If any of this information helps, feel free to rate my posts ;)