NetFlow Feature card support needed

Unanswered Question
Jul 24th, 2009

Hi,

i've installed a NFC in the following scenario: Cat4500 SUPIV, IOS 12.2(25)EWA1.

Netflow commands configured:

ip route-cache flow infer-fields

ip flow ingress infer-fields

ip flow ingress layer2-switched

ip flow-cache timeout inactive 30

ip flow-cache timeout active 2

ip flow-export source Vlan147

ip flow-export version 5

ip flow-export destination <ip> 9996

I've several SVI's connected, all configured in a uniform manner. But the WAN SVI-Interface, which is a DTM ethernet connection, only shows incoming traffic. The peer interface which is homed on a 6509 show in- and outgoing traffic. Netflow collector is Netflow Analyzer 7. I'm stumped, why is only one SVI showing this issue?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yjdabear Fri, 07/24/2009 - 05:25

On the 6509, are there other interfaces that have "ip route-cache flow" turned on, or just the peer interface to the 4500?

ssieger Sun, 07/26/2009 - 22:25

There are over 150 SVI's on the 6509, but the problem with traffic in only one direction is on the 4506.

yjdabear Mon, 07/27/2009 - 06:21

I suspect the 4506 only has that one WAN-SVI interface with "ip route-cache flow" configured, so it's entirely expected behavior you only see incoming traffic, because NetFlow is unidirectional only and ingress by default (and as configured).

On the other hand, the 6509 does not exhibit the problem, probably because it has multiple interfaces with "ip route-cache flow" on. So you're getting the bi-directional picture of the traffic flowing through two of the 6509's interfaces (in through one, out through another), because the Netflow Analyzer software can stitch two interfaces' ingress records into one duplex conversaion.

ssieger Mon, 07/27/2009 - 22:25

It is not possible to configure "ip route-cache flow" on the svi's of the 4506. it has ios 12.2(25)EWA1 installed and the command is not available. I guess i'll do an update the next days first, and try to configure the command again after the new version is running.

Greetings,

Stephan

yjdabear Tue, 07/28/2009 - 12:41

It appears the 4500 does not support "ip route-cache flow" per interface. The "ip route-cache flow infer-fields" that I assumed was applied on the SVI interface is all it takes, globally.

Lastly, try appending "peer-as" or "origin-as" after "ip flow-export version 5".

ssieger Tue, 07/28/2009 - 22:18

I've tried appending the commands, but they have no impact at all. I'll do the ios update next wednesday.

Actions

This Discussion