Netflow question in a Catalyst 6509 with a FWSM installed

yves.haemmerli · ‎01-18-2010

Hi all,

I am configuring Netflow on a 6509 Sup-720 and PFC3C. Netflow is really great to get visibility of the trafic flowing through the network. However, I have two different questions in regard to netflow :

Question 1 :

I discovered an interesting behaviour, when a FWSM is inserted.

Here is my environment :

                  +------+                    +------+                   +------+
   --- VLAN100 ----| FWSM |----- VLAN102 ------| VRF |----- VLAN104 -----| FWSM |---- VLAN105 ----
                   +------+   (NO servers)   | +------+     (servers)     +------+   (servers)
                                             |
          Ingress flow                       |
     -------------------------->              "ip flow ingress" on this interface

VLAN102 is just a transit vlan between a FWSM context and a VRF. There are no servers on it, just the FWSM and the VRF. When I configure the vlan interface 102 with the command <ip flow ingress>, no flows are sent by Netflow to the Netflow collector station. In order to see the traffic flowing from VLAN100 through the FWSM and then through VLAN102, I have to enable Netflow for layer-2 switched traffic with the command :

CHE02SW02(config)# ip flow ingress layer2-switched vlan 102

Now, I can see the traffic on both direction.

Is it a normal behaviour ?

Question 2 :

When I configure Netflow for layer-2 switched traffic, my Netflow Collector shows exactly the same figures for OUT and IN traffics. In other words, we canot see the traffic bandwidth for IN and OUT. They are the same.

Is it normal ?

Thank you

Yves

Giuseppe Larosa · ‎01-18-2010

Hello Yves,

about question 2) documentation says that:

The exported bridged flows will have ingress and egress VLAN information and not the physical port information.

and

To enable NetFlow for bridged IP traffic on a VLAN, you must create a corresponding VLAN interface and enter the no shutdown command. The no shutdown command can be followed, if necessary, by the shutdown command.

and

NetFlow for ingress-bridged IP traffic in a VLAN requires that NetFlow on the PFC be enabled with the mls netflow command.

So you should be able to see different figures for in and out on a per vlan basis.

So it is strange you see same figures in an out. I agree on this.

only note is that PFC3A doesn't support netflow for bridged traffic

>> Except in PFC3A mode, NetFlow supports bridged IP traffic. PFC3A mode does not support NetFlow bridged IP traffic.

But you have PFC3C so it should be supported.

question 1)

not an easy question, and I never tested this up to now

the FWSM is like an external device and does not take part in netflow accounting process. the only interface is vlan102 that is in a VRF.

Traffic is exchanged on internal port channel between FWSM and chassis/supervisor.

the interface in VRF can be monitored with netflow when using appropriate IOS image

Prerequisites for NDE for VRF Interfaces

Your router must be running Cisco IOS release 12.2(33)SRB or later to configure the NDE for VRF Interfaces feature.

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nfvrf_ps6922_TSD_Products_Configuration_Guide_Chapter.html#wp1054900

But I guess that this is not your problem.

search of interaction of FWSM and netflow points to security designs when both can be used.

I've noted that the internal port channel made of 6 GE appears in sh etherchannel summary but it is not possible to get information about traffic on these internal GE ports from IOS supervisor. Old FWSM versions don't provide info about traffic, newer (well 3.x and later I think) provide a way to know how much traffic is going to the bundle in the FWSM shell.

This might be related to this behaviour with netflow or not.

Hope to help

Giuseppe

yves.haemmerli · ‎01-19-2010

Hi Giuseppe,

Thank you having taken the time to give me your comments on these twor questions. Actually, for Question 1, I know the requirements and the only explanation I have is that the FWSM and the VRF use an internal layer-2 channel to comunicate. In this case, the only way to "see" the traffic via Netflow is to configure Netflow for Layer-2.

But for Question 2, I cannot understand why the Netflow collector shows exactly the same traffic figures (speed, usage, volume) for both directions !

I will open another thread for this specific question in order to not confuse people...

Thanks again,

Yves

yves.haemmerli · ‎01-19-2010

Hi Giuseppe,

In the mean time I did some research on this topic and discovered why the same figure appears in Input and Output. The reason is that, if you only configure Layer-2 netflow with the command "(config)#ip flow export layer2-switched vlan 310", each Netflo PDU conaining information about a flow, shows "VLAN310" as well for InputInt and OutputInt. Therefore, the collector cannot see the direction of the flow.

The solution to this problem is to configure both Layer-2 netflow and Layer-3 Netflow with the command :

(config)#interface vlan 31

(config-if)#ip flow ingress

Yves

Giuseppe Larosa · ‎01-19-2010

Hello Yves,

this is good news, clearly interface vlan 310 SVI in your example.

Adding the L3 configuration helps in collecting more meaningful data.

Nice Tip.

Best Regards

Giuseppe