MLS is already enabled, because only the first packet is routed through the MSFC, the remaining packets are switched on the Supervisor.

on switch:

#mls

set mls flow full

set mls nde enable

MLS commands supported on MSFC:

A_Root(config)#mls ?

ip ip keyword

rp rp

A_Root(config)#mls ip ?

acl Enable ACLs particular features

multicast multicast keyword

A_Root(config)#mls rp ?

ip Enable IP shortcuts

ipx Enable IPX shortcuts

nde-address nde-address

A_Root(config)#mls rp ip ?

input-acl Enable IP input access list

route-map Enable IP route map

A_Root(config)#mls rp nde-address ?

A.B.C.D IP address

Hello,

ohh, you are using CatOs on the switch and IOS on the MSFC.

The first packet goes to the MSFC where is "routed", the switch learn it and other packets go directly via switching part (on the supervisor). So I think that it is correct, if you see only one packet per flow. Did you configure correctly netflow export on the supervisor? See our webpages: http://netflow.caligare.com (section configuration).

Could you send me configuration of your CatOS?

Your MSFC configuration is OK.

Kind regards,

Jan

On MSFC:

interface Vlan15

ip address x.x.x.x

ip route-cache flow

ip flow-export source Vlan15

ip flow-export version 5

ip flow-export destination 10.248.6.70 9994

On Catalyst:

#mls

set mls flow full

set mls agingtime 128

set mls nde enable

### I suppose this version of IOS does not allow to enable Netflow on the MSFC.

I think, that your msfc configuration is really OK. But you haven't specified an export destination from your switching part.

switch> (enable) set mls nde 10.248.6.70 9994

switch> (enable) set mls nde version 7

switch> (enable) set mls agingtime long 128

switch> (enable) set mls agingtime 16

If you are using CatOS on the supervisor, and IOS on the MSFC, it is neccessary to configure netflow export destinations for both parts!

In the MSFC you will see only the first packet and on the supervisor (CatOS) the rest of communication (99% flows). I recommend to use the same IP address and port number for both parts (if your analyzer supports it).

Jan

When I do configure netflow export destinations for both parts, it works., the problem is that all traffic is exported, not only traffic from Vlan 15., but it's OK, thank you very much for the support.

Welcome.

On the supervisor there is not any mechanism, how to specify from which VLANs or ports do you want to collect a netflow. If you want to see a separate traffic flow, it is neccessary to use some filtering method on the analyzer side. I'm coding Caligare Flow Inspector software, and there are two ways how to filter flow a) you can drop unwanted flows when you receive it or b) when you specify query it is possible to set filtering conditions based on (IP addresses, interfaces, ports, ...), but in the database there are all flows.

Kind regards,

Jan

PS.: One interesting command is: set mls bridged-flow-statistics enable ... (it will account intra-vlan flows, e.g. flows that goes from vlan 15 to vlan 15), but it generates many many flows....

ok, I will use filtering conditions(set mls nde flow include source...).

thanks again.