netflow 6513

Unanswered Question
Jul 29th, 2008
User Badges:

Hi all

I'm trying to get some netflow stats from a 6513 using VS-S720-10G sup's (we're not using the vs functionality). I've configured the following:

mls netflow

mls nde send version 7

mls nde interface

mls agingtime long 64

mls agingtime fast 16 0

ip flow-export version 9

ip flow-export source vlan 101

ip flow-export destination 10.255.0.43 9995

ip flow-cache timeout active 1

and on the interfaces i want to gather netflow info:

ie interface atm4/0/0.53

ip flow ingress


I seem to be getting some netflow data but it doesn't appear to be all the flow information. I want to see all the application traffic flows. All i'm seeing is ntp, eigrp, icmp etc nothing for other tcp protocols. Am i missing something?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jan Nejman Wed, 07/30/2008 - 00:24
User Badges:
  • Bronze, 100 points or more

Hello,


try use the following command:


mls flow ip interface-full


and try some show commands:


show mls nde

show mls netflow table-contention summary

show ip flow export


Please, let me know results.


Kind regards,


Jan Nejman

Caligare, Co.

http://www.caligare.com/


nhon.yeung Wed, 07/30/2008 - 19:53
User Badges:

Hi

I added the mls flow ip interface-full and it made no difference.

When i do a sho ip cache flow, i can see various protocols ie http but it doesn't appear in the reporting.


ccrtr01#sho ip cache flow


-------------------------------------------------------------------------------


Displaying software-switched flow entries on the MSFC in Module 8:


IP packet size distribution (2119108 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.125 .194 .576 .001 .020 .006 .004 .000 .065 .000 .002 .000 .000 .000 .000


512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000


IP Flow Switching Cache, 278544 bytes

66 active, 4030 inactive, 441883 added

15689322 ager polls, 0 flow alloc failures

Active flows timeout in 1 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 33992 bytes

66 active, 958 inactive, 441883 added, 441883 added to flow

0 alloc failures, 0 force free

1 chunk, 0 chunks added

last clearing of statistics 1w0d

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 418 0.0 57 46 0.0 17.0 11.8

TCP-WWW 662 0.0 1 47 0.0 1.1 15.5

TCP-other 210 0.0 5 51 0.0 9.7 15.2

UDP-DNS 2656 0.0 2 65 0.0 3.7 15.5

UDP-NTP 267456 0.3 1 76 0.3 0.0 15.5

UDP-TFTP 1156 0.0 6 53 0.0 29.1 15.5

UDP-other 26712 0.0 4 151 0.1 6.5 15.2

ICMP 48626 0.0 8 113 0.5 36.7 8.1

IP-other 93968 0.1 13 64 1.9 58.4 1.9

Total: 441864 0.6 4 80 3.1 16.9 11.8


Jan Nejman Thu, 07/31/2008 - 00:09
User Badges:
  • Bronze, 100 points or more

Please,

could you send me output of the commands:


show mls nde

show mls netflow table-contention summary


Which collector/analyzer do you using? Is your collector supporting netflow version 7?


Kind regards,


Jan Nejman

Caligare, Co.

http://www.caligare.com/


nhon.yeung Sun, 08/03/2008 - 16:02
User Badges:

Hi Jan

We're using NetQos is supports all versions up to 9. I don't have a problem with 1841 routers sending netflow to it just the 6513.


ccrtr01#sho mls nde

Netflow Data Export enabled

Exporting flows to 10.255.0.43 (9995) 10.16.8.188 (2055)

Exporting flows from 10.100.1.1 (49471)

Version: 5

Layer2 flow creation is disabled

Layer2 flow export is disabled

Include Filter not configured

Exclude Filter not configured

Total Netflow Data Export Packets are:

39649 packets, 0 no packets, 419406 records

Total Netflow Data Export Send Errors:

IPWRITE_NO_FIB = 0

IPWRITE_ADJ_FAILED = 0

IPWRITE_PROCESS = 0

IPWRITE_ENQUEUE_FAILED = 0

IPWRITE_IPC_FAILED = 0

IPWRITE_OUTPUT_FAILED = 0

IPWRITE_MTU_FAILED = 0

IPWRITE_ENCAPFIX_FAILED = 0

IPWRITE_CARD_FAILED = 0

Netflow Aggregation Disabled


ccrtr01#sho mls net

ccrtr01#sho mls netflow tab

ccrtr01#sho mls netflow table-contention summ

Earl in Module 7

Summary of Netflow CAM Utilization (as a percentage)

====================================================

TCAM Utilization : 0%

ICAM Utilization : 0%

Netflow Creation Failures : 0

Netflow CAM aliases : 0

Earl in Module 8

Summary of Netflow CAM Utilization (as a percentage)

====================================================

TCAM Utilization : 0%

ICAM Utilization : 0%

Netflow Creation Failures : 0

Netflow CAM aliases : 0


ccrtr01#

yjdabear Sun, 08/03/2008 - 17:21
User Badges:
  • Gold, 750 points or more

One potential explanation of this symptom can be the fact NetQoS RA only keeps the top-50 flows for each interface after 4 hrs (RA 7.x) or 24 hrs (RA 8.x). In RA 8.x, this can be vividly seen in the many gaps in the trend plots of flows, as they fall in or out of the top-50 bucket. In RA 7.x, the gaps were plotted as zero, so the graphs were smooth/gapless.

nhon.yeung Sun, 08/03/2008 - 17:35
User Badges:

Hi,

I also have a demo of flukes netflow tracker which only supports version 5 and have the same problem.

yjdabear Sun, 08/03/2008 - 18:03
User Badges:
  • Gold, 750 points or more

Do you see the missing flows in the data (text) files on the Harvester(s) of NetQoS RA?


I find it bizarre that your config shows:


mls nde send version 7


Yet your "show mls nde" says "version 5".


I'm also curious: Any reason you want to use NetFlow v9?


Failing everything else, it may be worth trying setting both "ip flow-export version" and "mls nde send version" to 5 and see if that helps.

nhon.yeung Sun, 08/03/2008 - 18:14
User Badges:

Ah sorry for all the confusion.. i had to drop back to version 5 because flukes only supported up to 5 whereas netqos does 9.

No real requirement for version 9 other than the collect supports it.

Actions

This Discussion