Solved: Re: Netflow not reporting Egress traffic on 6509 Vlan

mo shea · ‎11-28-2011

Hi...

We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,

VLAN 10 - Servers Vlan

VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa

I configured the netflow source VLAN 11 although I am not collecing any netflow from it.

Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).

I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)?

I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.

I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10

Below is a show run | inc flow

ip flow-cache timeout active 1

ip flow ingress layer2-switched vlan 9,10

mls netflow interface

mls flow ip interface-full

interface vlan 9

ip flow ingress

ip flow egress

interface vla 10

ip flow ingress

ip flow egress

ip flow-export source vlan11

ip flow-export version 9

ip flow-export destination 10.10.10.10 2055

All help is appreciated.

Thanks

Edison Ortiz · ‎11-28-2011

Configured those Vlans with 'ip flow ingress'.

If you configure any incoming traffic into the switch with 'ip flow ingress' then you won't miss any data.

View solution in original post

Edison Ortiz · ‎11-28-2011

Egress accounting isn't suppported for unicast flows at this moment on the 6500, only for multicast flows.

Regards,

Edison

mo shea · ‎11-28-2011

Thanks for the reply...

If traffic from a user VLAN on the 6509 is destined to some remote site, it passes via VLAN (9) on the same 6509, since it is the only way to get outside. Isn't this considered ingress and netflow should be reported?

Thanks again...

Edison Ortiz · ‎11-28-2011

That's considered egress.

Vlan 9 is connected to your ASA and only traffic send from the ASA to that Vlan will be captured.

Traffic sent to the ASA is considered to be in the egress direction from that Vlan.

With your design, you are capturing traffic as it enters Vlan 10 (your server vlan) so you are not missing anything, right?

mo shea · ‎11-28-2011

Thanks for the reply,

I have been seeing lots of netflow for Vlan 10 (server vlan). I will have to double check the reports to confirm whether the information is uni or bidirectional.

The thing I am missing is netflow traffic from other user vlans on the 6509 going to remote sites. We would like to include this information in our security reports.

Thanks again

Edison Ortiz · ‎11-28-2011

Configured those Vlans with 'ip flow ingress'.

If you configure any incoming traffic into the switch with 'ip flow ingress' then you won't miss any data.

mo shea · ‎11-28-2011

Thanks for the reply,

I will configure ip flow ingress on these vlans and send some test traffic o a remote site, hope will get the required output. I will post the results tomorrow.

Thanks again.

mo shea · ‎11-29-2011

Thanks a lot.

After configuring those vlans with ip flow ingress, I was able to get netflow traffic for traffic leaving the users vlan. But I would like to understand the concept here. Isnt this traffic considered egress (since i exits the user vlan) so shouldnt be reported?

Another question

I asked the admin of the router at remote site to enable netflow on his router (7206vxr) to capture ingress netflow statistics comin out of the 6509s Server Vlan (10) at my site and forward it to the netflow collector I am using. I wanted to compare the results to what the 6509 is reporting.

The 6509 and the remote 7206 router reported roughly the same vloume of traffic leaving Server A in the Server VLAN (10) and entering remote Server B via the 7206 router. But the graphicl presentation of the output (see attachment) was quiet different. It seems that sampling is higher on the 7206 and lower on the 6509 since the total bytes transferred seems to be added up (y axies - 14 MB vs 440 MB) in the 6509 output . Isnt that right?

Thanks again

Edison Ortiz · ‎11-29-2011

Applying 'ip flow ingress' on the user vlan will capture traffic coming from the users.

Think of a Vlan as a physical port connected to a user machine. Traffic from the user machine will be treated as ingress while traffic going to the user machine will be treated as egress.

You think the traffic is leaving the Vlan but actually is traffic entering the Vlan.

Sorry, I don't have an answer to the 2nd question. They should report the same statistics unless traffic is being dropped.

mo shea · ‎11-29-2011

Thanks for the explanation.

As for the second question, I feel its might be the 7206 router sends netflow at a much faster rate than the 6509, thus explaining the low MBs transfered per interval and more frequent reporting (almost every minute), or flows are larger in the 6500 but are segmented once they reach the 7206, or it might be a netflow application software thing. I will check it out with the Solarwinds people.

Thanks again