Netflow v5 on Cisco Catalyst 6000 MSFC2

Unanswered Question
Jan 21st, 2008
User Badges:

Hi, I've a customer running on the mentioned core switch with software of c6msfc2-pk2sv-mz.121-13.E11. I'm implementing a netflow collector into their environment, but it turn out that this version of IOS only support netflow v5/v6, and with only fast-switching flow-cache supported.


My initial plan is as follows:

ip flow-export destination < >

ip flow-export source < >

ip flow-export version 5

interface vlan <server_vlan>

ip route-cache flow.


what's the main difference between "ip route-cache flow" and "ip flow ingress/egress".


Does server -> server in the same vlan consider a flow as well?


appreciate if anyone could comment on this

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jan Nejman Mon, 01/21/2008 - 03:10
User Badges:
  • Bronze, 100 points or more

Hello,

ip route-cache flow is deprecated command, use

the "ip flow ingress" instead.


No if you want to account communication between host in the same VLAN use the commands:


ip flow ingress layer2-switched vlan

ip flow export layer2-switched vlan


Enable also mls netflow ...


For more information see:

http://netflow.caligare.com/



Kind regards,


Jan Nejman

Caligare, Co.

http://www.caligare.com/




networknoobs Mon, 01/21/2008 - 04:44
User Badges:

unfortunately "ip route-cache flow" is the only option in that particular IOS, I just wondering is there anything I miss using "ip route-cache flow" instead of "ip flow ingress/egress". And is it possible to enable the netflow for the layer2-switched traffics using the "ip route-cache flow"?


I've spoke to the customer but they're reluctant to upgrade their current working IOS due to various reasons. I've conducted some other netflow collection using the "ip route-cache flow" but the end-result was not really satisfying/acceptable as the result does not seem to reflect the actual traffics.


Is there any other options?

Jan Nejman Mon, 01/21/2008 - 04:49
User Badges:
  • Bronze, 100 points or more

Hello,

did you enable mls nde? Try the following:


switch(config)# mls nde sender version 7

switch(config)# mls aging long 128

switch(config)# mls aging normal 32

switch(config)# mls flow ip full

or better

switch(config)# mls flow ip interface-full


"ip route-cache flow" enable L3 switched traffic accounting.


Kind regards,


Jan Nejman

Caligare, Co.

http://www.caligare.com/



networknoobs Mon, 01/21/2008 - 19:54
User Badges:

well, decided not to send the layer2 switched traffic through netflow, only account for the layer3 switched traffics. So only the "ip route-cache flow" command and the ip flow-export commands are required.


I've done this better and think was not the best way as the collected result does not seems to reflect the actual traffics...just wondering whether there's another way to do this without upgrading their current IOS?

grayd Mon, 01/28/2008 - 13:41
User Badges:

You still need to enable nde on the CatOS side to account for mls traffic. If you only enable NetFlow on the MSFC, you only account for the first packet in the flow in the NetFlow statistics.


By default, you will get will get NetFlow data only on the routed traffic. If you enter "set mls bridged-flow-statistics enable ", you will also get the bridged traffic.

Actions

This Discussion