Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2175
Views
0
Helpful
0
Replies

Netflow for Layer-2 switched flows

yves.haemmerli
Level 1
Level 1

‎09-15-2010 09:05 AM - edited ‎03-06-2019 12:59 PM

Hello,

I observe a strange behaviour with Netflow on Catalyst 6500 with SUP720-3B running version 12.2(33)SXH2a :

Setup :

  • Two different Cat6K linked by a trunk
  • A VRF is configured on each Cat6K and connected to a common VLAN (VLAN 310)
  • VRF-A in Switch-A is HSRP master and also the OSPF preferred path for all traffic coming through the VLAN
  • VRF-B in Switch-B does not route any traffic because of the preceeding statement
  • Layer-2 switched flows creation is disabled with CHE02SW02(config)#no ip flow ingress layer2-switched vlan 310
  • Layer-2 switched flows export is disabled with CHE02SW02(config)#no ip flow export layer2-switched vlan 310

Traffic flow :

With this setup, all traffic flow through the VRF-A and VRF-B only receives the broadcasts on the VLAN 310. This can be demonstrated with the packet counters on the VLAN interface 310 on VRF-B.

Netflow entries on VRF-A :

As expected, all Layer-3 flows are present in the VRF-A netflow table but some L2 flows are also in the table, despite the fact that L2 flows creation

has been disabled...

Some of them is for instance :

110.56.6.222     10.56.57.81    udp :61983  :dns      Vl310            :0x01            64            4     17:52:54   L3 - Dynamic
10.240.131.107  10.56.6.223     udp :137    :137      Vl200            :0x03            270           4     17:52:54   L2 - Dynamic
10.56.57.81     10.56.6.222     udp :dns    :61983    Vl200            :0x00            0             4     17:52:54   L2 - Dynamic
10.56.55.248    10.56.6.222     udp :dns    :33468    Vl200            :0x036           5868          36    17:52:57   L3 - Dynamic
10.56.6.130     10.56.52.188    tcp :1272   :445      Vl200            :0x00            0             20    17:52:38   L2 - Dynamic

10.56.6.222     10.241.154.31   udp :58326  :dns      Vl200            :000             0             36    17:52:29   L2 - Dynamic
10.56.6.222     10.240.5.122    udp :54355  :dns      Vl310            :0x01            61            28    17:52:30   L3 - Dynamic
10.56.57.218    10.56.6.131     udp :53213  :53213    Vl200            :0x00            0             16    17:52:42   L2 - Dynamic
10.240.4.93     10.240.85.119   tcp :3978   :445      Vl200            :0x060           11112         36    17:52:58   L3 - Dynamic
10.240.49.45    10.56.33.94     tcp :8080   :4072     Vl310            :0x01            52            20    17:52:38   L3 - Dynamic

Netflow entries on VRF-B :

In VRF-B, there is no L3 flows because no routed traffic pass through this routing instance, as expected. But the strange thing is that we still see several thousands of L2 flow (same indbond and outboud interface : VLAN 310)

here is an extract of the table in VRF-B containing only L2 flows :

10.56.33.92     10.56.6.222     udp :dns    :62830    Vl310            :0x01            208           9     17:56:06   L2 - Dynamic
10.56.33.92     10.56.6.222     udp :dns    :58655    Vl310            :0x01            137           25    17:55:50   L2 - Dynamic
10.56.34.156    10.56.6.222     udp :dns    :51187    Vl310            :0x01            55            12    17:56:03   L2 - Dynamic
10.240.42.211   10.56.33.94     tcp :8080   :3844     Vl310            :0x02            104           12    17:56:03   L2 - Dynamic
10.56.7.139     10.240.23.196   tcp :1360   :1494     Vl310            :0x02370         114889        183   17:56:08   L2 - Dynamic
10.240.42.121   10.56.6.176     tcp :5061   :2055     Vl310            :0x01            46            10    17:56:05   L2 - Dynamic
10.56.6.222     10.56.33.92     udp :54334  :dns      Vl310            :0x01            65            2     17:56:13   L2 - Dynamic
10.56.7.69      10.240.142.118  tcp :10000  :2675     Vl310            :0x07            322           34    17:56:11   L2 - Dynamic
10.56.6.222     10.56.33.92     udp :63074  :dns      Vl310            :0x01            63            10    17:56:05   L2 - Dynamic
10.240.142.20   10.56.7.69      tcp :www    :1124     Vl310            :0x04            1964          10    17:56:10   L2 - Dynamic

My Questions :

  1. Why do I still see L2 flows in VRF-A as Netflow L2 flows creation has been disabled on this VLAN ?
  2. Why VRF-B still have L2 flows in the Netflow table as no packets flow through it ?

Thank you for any hints

Yves Haemmerli

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card