Netflow on SUP720

Konstantin Dunaev · ‎06-26-2007

Hi,

I'm trying to implement Netflow on our SUP720 with "time sampled" option with following configuration:

ip flow-cache timeout active 1

mls flow ip interface-destination-source

mls nde sender version 5

mls sampling time-based 1024

sh mls sampling

Time-based Sampling is Enabled

1 out of 1024 packets is being sampled

Sampling Interval and Period is 8 millisec per 8192 millisec

interface XXX

ip route-cache flow

mls netflow sampling

I'm using the flow-tools to gather and store the netflow data on the disk and then export them into database.

The problem is that I get quite a lot of information in netflow datafiles, much much bigger as expected. It seems that the "time sampled" netflow exporting doesn't work and the whole netflow data are exported.

Is there any problems in my configration that can lead to this misbehaviour?

avmabe · ‎06-27-2007

how are you analyzing the flow-files? flowscan I assume? You need to make sure flowscan is also treating the data like it is sampled.

How big is a five minute file?

Konstantin Dunaev · ‎06-27-2007

Hi,

we're using the "flow-capture" "flow-export" tools to analyse the data and these tools take the netflow "as is" and simply export all flows which are in the netflow datafiles.

The 1 minute row Netflow data thst we get from the router (we export the data every minute) is about 2MB, in compare with our GSR's netflow which have only 40KB.

I've actually found out the reason:

it seems that sampled netflow export works on SUP720 only for "mls flows" and not for "ip cache flows". for "ip cache flows" all flows are exported.

I've put away the "ip route cache" command from the interface configuration and now I'm getting the sampled netflow data and the one minute file is around 30KB, as it should be.

I think it's the case for Cisco TAC, they should update the documentation at least and point out this feature.

Best