Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1230
Views
0
Helpful
2
Replies

Any limitations on NetFlow and VRF?

linker.team
Level 1
Level 1

‎07-11-2008 04:32 AM

We have a Cisco 6504 switch with sup720 supervisor engine, running native IOS. NetFlow was enabled on the device. We find that the analyzer software reports traffic much lower than the actual traffic passing through the switch whereas other Cisco6504 switches (same model and similar configuration) works fine. The only difference is that the flow export is through a VRF configured on the device. So the command we have for exporting flows is as follows:

ip flow-export destination xx.xx.xx.xx 9996 vrf NAME1

If the VRF command is removed, no flows at all reach the analyzer software. Is there any limitation on NetFlow because of the presence of VRF on the device. Or is there any other possible reason on why the traffic is reported different on the analyzer software.

The following is the NetFlow related commands on the device:

snmp-server ifindex persist

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

ip flow-export source Vlan200

ip flow-export version 5

ip flow-export destination xx.xx.xx.xx 9996 vrf NAME1

mls nde sender version 7

mls flow ip interface-full

mls netflow interface

mls aging long 64

mls aging normal 32

ip flow ingress layer2-switched vlan 101-105,200-240,300-340,500-540

ip flow export layer2-switched vlan 101-105,200-240,300-340,500-540

Regards,

Don

Labels:
0 Helpful
2 Replies 2

rseiler
Level 3
Level 3

‎10-27-2008 06:17 AM

'ip flow-export destination vrf ' is not supported in IOS 12.SXH at this time. Look for 12.2SXI (within 90 days) for this feature.

If you 'debug ip flow export' you will see that the first flow packet works correctly, with a correct source address (this is the RP first flow as the hardware is programmed). All additional flow export packets will be sent with a source address of 0.0.0.0, which will never work (these are the mls NDE exported flows).

According to Cisco, this is not yet a supported feature. Moving the flow export to the global routing table may work, but you may not receive all flows from all VRFs.

Track bug id CSCsh99774 for more info...

0 Helpful
Customers Also Viewed These Support Documents