02-27-2007 03:03 AM - edited 03-05-2019 02:35 PM
Hi,
I am playing with something I don't really understand, so feel free to call me a muppet.
I am trying to set up netflow on 6500's and applied the following config
set mls flow destination-source
set mls bridged-flow-statistics enable 1,3,10-19,31-36,40,50,54,80-81,96-98,101-104,110-113,120,136,
139,142,144,149-159,201-211,401-402,700,800,810-814,850,900-952,999
set mls nde <ip_address> 9991
set mls agingtime long-duration 1920
set mls agingtime 256
set mls agingtime ipx 256
set mls nde enable
When I did this I got traffic on my Netflow collector ( Crannog Netflow Tracker), but this didn't include layer 4 port information.
After a bit of reading I changed the flow mask to full-flow with
"set mls flow full"
When I did this the neflow collector showed one export of traffic including layer 4 ports then the export from the 6500 dropped from 600Mbs ish to 40Kbs
I then put the flow back to dest-source and the same thing happened.
Now according to netflow I only have kbs of traffic going through my 6500 which is clearly wrong.
How doo I get layer 4 info out of the 6500??
Solved! Go to Solution.
02-27-2007 08:04 AM
Hello,
optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.
Regards,
Jan Nejman
Caligare Co.
02-27-2007 06:53 AM
You need to place the commnad "ip route-cache flow" on the L3 interfaces you want netflow statistics collected from.
02-27-2007 07:45 AM
Try 'show mls nde' and 'show mls debug'
commands to see how many netflow packets are exported. It is recommended also set netflow export on MSFC card (http://netflow.caligare.com/configuration_ios.htm) to export the first packet of the flow. Ensure that you have synchronized time between collector and your device (best choice is configure NTP). If you enable export from bridged vlans the many netflow exports will be sent to the collector. Check on your server that all packets are received (and not dropped due to overloaded server). In your case it can be over 1000 netflow packets/s!
Have a nice day,
Jan Nejman
Caligare Co.
02-27-2007 07:55 AM
I have figured out that my problem is to do with the aging time of the flows, specifically the long agingtime. If I reduce this from 1920 secs that the flows get sent to the netflow collector more reqularly.
What is the optimum setting for this ??
02-27-2007 08:04 AM
Hello,
optimal values depends on your politic. If you want to see data more quickly (not with 1/2 hour delay) I preffer long aging 300 sec and normal aging 120 sec. But if you decrease these values more load will be on a collector. So be carefull when you modify these value :-). For billing application is long aging 1920 OK in many cases. But for real-time network anomalies detection it is too late.
Regards,
Jan Nejman
Caligare Co.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: