cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1381
Views
0
Helpful
8
Replies

netflow 6513

nhon.yeung
Level 1
Level 1

Hi all

I'm trying to get some netflow stats from a 6513 using VS-S720-10G sup's (we're not using the vs functionality). I've configured the following:

mls netflow

mls nde send version 7

mls nde interface

mls agingtime long 64

mls agingtime fast 16 0

ip flow-export version 9

ip flow-export source vlan 101

ip flow-export destination 10.255.0.43 9995

ip flow-cache timeout active 1

and on the interfaces i want to gather netflow info:

ie interface atm4/0/0.53

ip flow ingress

I seem to be getting some netflow data but it doesn't appear to be all the flow information. I want to see all the application traffic flows. All i'm seeing is ntp, eigrp, icmp etc nothing for other tcp protocols. Am i missing something?

8 Replies 8

Jan Nejman
Level 3
Level 3

Hello,

try use the following command:

mls flow ip interface-full

and try some show commands:

show mls nde

show mls netflow table-contention summary

show ip flow export

Please, let me know results.

Kind regards,

Jan Nejman

Caligare, Co.

http://www.caligare.com/

Hi

I added the mls flow ip interface-full and it made no difference.

When i do a sho ip cache flow, i can see various protocols ie http but it doesn't appear in the reporting.

ccrtr01#sho ip cache flow

-------------------------------------------------------------------------------

Displaying software-switched flow entries on the MSFC in Module 8:

IP packet size distribution (2119108 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.125 .194 .576 .001 .020 .006 .004 .000 .065 .000 .002 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

66 active, 4030 inactive, 441883 added

15689322 ager polls, 0 flow alloc failures

Active flows timeout in 1 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 33992 bytes

66 active, 958 inactive, 441883 added, 441883 added to flow

0 alloc failures, 0 force free

1 chunk, 0 chunks added

last clearing of statistics 1w0d

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 418 0.0 57 46 0.0 17.0 11.8

TCP-WWW 662 0.0 1 47 0.0 1.1 15.5

TCP-other 210 0.0 5 51 0.0 9.7 15.2

UDP-DNS 2656 0.0 2 65 0.0 3.7 15.5

UDP-NTP 267456 0.3 1 76 0.3 0.0 15.5

UDP-TFTP 1156 0.0 6 53 0.0 29.1 15.5

UDP-other 26712 0.0 4 151 0.1 6.5 15.2

ICMP 48626 0.0 8 113 0.5 36.7 8.1

IP-other 93968 0.1 13 64 1.9 58.4 1.9

Total: 441864 0.6 4 80 3.1 16.9 11.8

Please,

could you send me output of the commands:

show mls nde

show mls netflow table-contention summary

Which collector/analyzer do you using? Is your collector supporting netflow version 7?

Kind regards,

Jan Nejman

Caligare, Co.

http://www.caligare.com/

Hi Jan

We're using NetQos is supports all versions up to 9. I don't have a problem with 1841 routers sending netflow to it just the 6513.

ccrtr01#sho mls nde

Netflow Data Export enabled

Exporting flows to 10.255.0.43 (9995) 10.16.8.188 (2055)

Exporting flows from 10.100.1.1 (49471)

Version: 5

Layer2 flow creation is disabled

Layer2 flow export is disabled

Include Filter not configured

Exclude Filter not configured

Total Netflow Data Export Packets are:

39649 packets, 0 no packets, 419406 records

Total Netflow Data Export Send Errors:

IPWRITE_NO_FIB = 0

IPWRITE_ADJ_FAILED = 0

IPWRITE_PROCESS = 0

IPWRITE_ENQUEUE_FAILED = 0

IPWRITE_IPC_FAILED = 0

IPWRITE_OUTPUT_FAILED = 0

IPWRITE_MTU_FAILED = 0

IPWRITE_ENCAPFIX_FAILED = 0

IPWRITE_CARD_FAILED = 0

Netflow Aggregation Disabled

ccrtr01#sho mls net

ccrtr01#sho mls netflow tab

ccrtr01#sho mls netflow table-contention summ

Earl in Module 7

Summary of Netflow CAM Utilization (as a percentage)

====================================================

TCAM Utilization : 0%

ICAM Utilization : 0%

Netflow Creation Failures : 0

Netflow CAM aliases : 0

Earl in Module 8

Summary of Netflow CAM Utilization (as a percentage)

====================================================

TCAM Utilization : 0%

ICAM Utilization : 0%

Netflow Creation Failures : 0

Netflow CAM aliases : 0

ccrtr01#

One potential explanation of this symptom can be the fact NetQoS RA only keeps the top-50 flows for each interface after 4 hrs (RA 7.x) or 24 hrs (RA 8.x). In RA 8.x, this can be vividly seen in the many gaps in the trend plots of flows, as they fall in or out of the top-50 bucket. In RA 7.x, the gaps were plotted as zero, so the graphs were smooth/gapless.

Hi,

I also have a demo of flukes netflow tracker which only supports version 5 and have the same problem.

Do you see the missing flows in the data (text) files on the Harvester(s) of NetQoS RA?

I find it bizarre that your config shows:

mls nde send version 7

Yet your "show mls nde" says "version 5".

I'm also curious: Any reason you want to use NetFlow v9?

Failing everything else, it may be worth trying setting both "ip flow-export version" and "mls nde send version" to 5 and see if that helps.

Ah sorry for all the confusion.. i had to drop back to version 5 because flukes only supported up to 5 whereas netqos does 9.

No real requirement for version 9 other than the collect supports it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: