02-20-2007 04:26 PM
Hi all,
I am trying to configure netflow on a 6509 w/ Sup 720 3BXL to send accounting data to a management server. I have netflow configured (see below) and "ip route-cache flow" set on all of my major interfaces. Netflow data is being sent to the management server, however I am only seeing about 100 Packets/s when I should be seeing in the 100,000s Packets/s range (additionally we are pushing over a gigabit of traffic and netflow reports barely anything).
What I am missing here?
Thanks in advance,
Max
ip flow-cache entries 131072
ip flow-cache timeout active 5
mls rp ip
mls ip multicast flow-stat-timer 9
mls aging fast time 30 threshold 64
mls aging long 900
mls aging normal 32
no mls netflow
mls flow ip interface-full
no mls flow ipv6
mls nde sender version 5
no mls acl tcam share-global
mls cef error action freeze
ip flow-export source Loopback0
ip flow-export version 5 origin-as
ip flow-export destination x.x.x.x 9995
02-20-2007 08:24 PM
Hi
It is because of the CEF. Only the first few packets go to yr Sup Engine for routing and the following packets bypass and do switching.
That is the reason why you do not see the full picture. If you really really must see the full picture, you may like to disable CEF which is not recommended.
HTH.
Rate if help.
Cheers
02-20-2007 08:27 PM
Hi,
Disabling CEF is definately not a direction that I can take - is there seriously no way to get full accounting out of this device?
-Max
02-20-2007 09:51 PM
Hi Max
According to my experience, the answer is No.
Normally, I would monitor NetFlow traffic at Router instead.
Cheers
02-21-2007 12:15 AM
I have a Cat 6506 with Supervisor Engine 32. I have the same problem. My collector doesn't show full picture of trafic. Tell me which will consequences be if I turn off IP CEF?
And which option should I remove ?
Cat6505(config)#no ip cef ?
accounting Enable CEF accounting
distributed Distributed Cisco Express Forwarding
event-log CEF event log commands
interface CEF linecard commands
linecard CEF linecard commands
load-sharing Load sharing
nsf Set CEF non-stop forwarding (NSF) characteristics
table Set CEF forwarding table characteristics
traffic-statistics Enable collection of traffic statistics
02-21-2007 05:12 PM
Hi
You cannot disable CEF on C6500 series according to configuration guide. It is permanently enabled. But in other mid-range switches, you can enable/disable CEF.
I am not sure whether you can run both CEF and MLS togeter as both technology are similar in nature and yet CEF is better in term of performance.
Why don't you try to get NetFlow data from another distribution layer or WAN edge instead of core layer? Just my $0.02!!
Cheers.
02-21-2007 01:58 AM
Hello,
don't disable CEF!!! Enable mls netflow option and set mls nde export.
mls flow ip interface-full
mls nde sender version 5
mls netflow
That's all. This enables sending of flows that are "switched" by supervisor. In your configuration is exported only the first packet of the flow! You can also enable exporting inter vlan netflow export (but be carefully when you enable it, bacause it can send a huge number of netflow exports...).
Have a nice day,
Jan Nejman
Caligare Co.
02-21-2007 08:08 PM
Device's config:
ip flow-cache entries 10000
ip flow-cache timeout active 1
ip flow ingress layer2-switched vlan 198
mls ip multicast flow-stat-timer 9
mls aging long 300
mls aging normal 120
mls flow ip interface-full
no mls flow ipv6
mls nde sender version 5
mls sampling time-based 64
no mls acl tcam share-global
mls cef error action freeze
..
system flowcontrol bus auto
..
ip flow-export source GigabitEthernet2/1
ip flow-export version 5
ip flow-export destination 10.0.2.2 9996
..
Also It has a lot of VLAN interfaces. Every such interface has a record: ip route-cache flow
In additional, Cat has a few interfaces with subinterfaces. For example: there are Giga2/1 and Giga2/2 with a lots of subinterfaces. Giga2/1 and Giga2/2 have a record:
ip route-cache flow
But I haven't seen a full statistics as before.
02-21-2007 08:12 PM
Also, I have interface Vlan15 with record ip route-cache flow, but I have never seen traffic of this interface, although, other VLAN interfaces present in statistics.
What is wrong ?
P.S. ip cef works
02-21-2007 08:20 PM
And should I turn on ip flow ingress on every interface ?
02-22-2007 08:38 AM
Jan,
This definately improved the situation - however it looks like I am still getting truncated data (i.e. packets shows in the 200-300k range and when I look at the interface I am doing 800k+ inbound & outbound). Does the Sup aggregate or truncate data in a way I should be aware of?
Thanks,
Max
02-22-2007 10:56 AM
Hello,
can you send me your interface configuration? Which command do you using to get packet utilization on your interface and which software (or cisco command) do you using to collect netflow information?
Jan Nejman
Caligare Co.
02-22-2007 11:04 AM
Jan,
I am using "show interface x" to get the interface statistics (also when we compare to snmp via cacti the netflow numbers are low). I am running nfsen (so netflow v. 1.5.2) on a FreeBSD box as my collector. Nfcapd command below as well.
Thanks,
Max
/usr/local/bin/nfcapd -w -D -I router01 -p 9995 -u www -g www -B 200000 -l /usr/local/var/nfsen/profiles/live/router01 -P /usr/local/var/nfsen/run/router01.pid -x /usr/local/bin/nfprofile -q -p /usr/local/var/nfsen/profiles -s router01 -r %d/%f
#show interfaces po 2
Port-channel2 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0007.b355.5800 (bia 0007.b355.5800)
Internet address is x.x.x.x/30
MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
input flow-control is off, output flow-control is on
Members in this channel: Gi7/7 Gi7/8
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:14, output 00:00:14, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 854510
Queueing strategy: fifo
Output queue: 0/40 (size/max)
1 minute input rate 1823532000 bits/sec, 969988 packets/sec
1 minute output rate 1714853000 bits/sec, 901492 packets/sec
L2 Switched: ucast: 41946 pkt, 2774528 bytes - mcast: 1996 pkt, 161608 bytes
L3 in Switched: ucast: 169986842127 pkt, 33679708457144 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 158253133760 pkt, 37291080296637 bytes mcast: 0 pkt, 0 bytes
169937081618 packets input, 33669816565275 bytes, 0 no buffer
Received 15232 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
158222255755 packets output, 37284177837380 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
02-22-2007 11:57 AM
Hello,
can nfsen program log how many netflow exports were received? If yes, compare 'show mls nde' counters with nfsen logs. Maybe nfsen lost some packets(flows). I think, that your configuration is OK at this time.
You will see always more packets via SNMP, because in the SNMP there are all layer2 packets. In the netflow there are "only" L3 packets... some L2 traffic can be lost (i.e. arp requests etc...), but this can be 5% at maximum.
Jan Nejman
Caligare Co.
02-26-2007 10:25 AM
Im running pretty much the same thing as maxclark...
- Supervisor Engine 720 (Active) WS-SUP720-3B
- cisco WS-C6509-E (R7000) processor
nfcapd/nfsen as the collcter box.
The one thing i cant figure out is that all the flows I am collecting are reporting with a ifindex pointing to a vlan interface. What I am looking for is per interface stats.
For example all traffic passing through GigabitEthernet2/27=Ifindex=51 but none of the flows are reporting any traffic from or to interface 51. I have tried multiple configs. anything special that needs to be done? Can the 6509-E give pre interface stats.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: