Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
4
Replies

Netflow Problem Utils above 100% 6500's

Go to solution
chrisayres
Level 1
Level 1

‎03-29-2007 09:01 AM

Hi,

We have recently got Netflow Tracker, one problem that we have having is FE ports on our 6500 are regularly showing inbound utilisations above 100 (sometimes 300 - 400%)

Crannog / Fluke (Netflow Tracker) have had a look and say the problem is because our cats are send flows of more than 100%.

Below is the netflow config from one of our 6500 (switch and MSFC) can anyone see a problem with this

(enable) sho conf | i mls

#mls

set mls flow full

set mls bridged-flow-statistics enable 1,3,10-19,31-36,40,50,54,80-81,96-98,101-104,110-113,120,136,

139,142,144,149-159,201-211,401-402,700,800,810-814,850,900-952,999

set mls nde x.x.x.x 9991

set mls agingtime long-duration 64

set mls agingtime 32

set mls agingtime ipx 32

set mls nde enable

(enable) sess 15

Trying Router-15...

Connected to Router-15.

#sho run | i flow

ip flow-cache timeout inactive 10

ip flow-cache timeout active 1

ip route-cache flow (on all VLAN ints)

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination x.x.x.x 9991

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
avmabe
Level 3
Level 3
In response to chrisayres

‎04-04-2007 06:07 AM

I would trust what you have now... Try to match it up to interface traffic if possible. Ignore the vlans when you talk of MLS... from the switching perspective, all the traffic that is routed by the FIB TCAM is captured and there is no need to even concern yourself with "vlans".

Keep in mind there are two types of netflow on a 6500 and a 7600.... The "switch" netflow traffic and the "router" traffic. The vast majority of traffic is going to be "switched" even if you think it would be routed b/c the routing paths are in hardware. How many IPV4 routes you can handle depends on your SUP version.

If traffic is coming into the switch, no matter what vlan it enters or exits, you are seeing that traffic from mls nde. I suspect before you were counting flows on the hardware level multiple times.

I can talk more about this if you would like, but I think you are good now.

If any of this information helps, feel free to rate my posts ;)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
peter.nowack
Level 1
Level 1

‎04-01-2007 01:17 PM

I think, that your netflow configuration is OK. Maybe Crannog wrongly detect line speed. In some tools helps manual bandwidth set on the interface. If guys from Crannog said that your configuration is not OK, let them know what is missing in the config... But I'm almost sure that your config is standard.

Bye

Peter

0 Helpful

Go to solution
avmabe
Level 3
Level 3

‎04-03-2007 01:13 PM

take out the set mls bridged-flow-statistics command and see how it works...

When you enable mls nde enable it exports all netflow information for anything that is hardware switched, and the capacity of the netflow table (how many flows it will support) is based on if you have a SUPII, 720a/720b/720bxl...

Try that and see if it helps.

0 Helpful

Go to solution
chrisayres
Level 1
Level 1
In response to avmabe

‎04-04-2007 12:47 AM

Andrew,

I have done as you suggested and it has made a dramatic difference to the amount of traffic netflow is reporting, I am now seeing alot less traffic.

But now I am unsure which stats to believe. CCO is suitably vague on the subject and seems to interchange the terms switched and bridged.

I assume that by switching off bridged-stats I am still seeing routing traffic that is being HW switched in the switch (rather than thru the MSFC) but Iam not now seeing any traffic I am bridging between VLAN's or intra-vlan traffic.

Is this assumption right

0 Helpful

Go to solution
avmabe
Level 3
Level 3
In response to chrisayres

‎04-04-2007 06:07 AM

I would trust what you have now... Try to match it up to interface traffic if possible. Ignore the vlans when you talk of MLS... from the switching perspective, all the traffic that is routed by the FIB TCAM is captured and there is no need to even concern yourself with "vlans".

Keep in mind there are two types of netflow on a 6500 and a 7600.... The "switch" netflow traffic and the "router" traffic. The vast majority of traffic is going to be "switched" even if you think it would be routed b/c the routing paths are in hardware. How many IPV4 routes you can handle depends on your SUP version.

If traffic is coming into the switch, no matter what vlan it enters or exits, you are seeing that traffic from mls nde. I suspect before you were counting flows on the hardware level multiple times.

I can talk more about this if you would like, but I think you are good now.

If any of this information helps, feel free to rate my posts ;)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents