I am attempting to collect netflow statistics from a Cisco ME 6524 switch with MPLS configured on it. The scenario is a MPLS core of 3 devices (all 6524's) and off one of the PE's is a customer link by VRF. I wish to collect netflow info from that customer link and export it to a Solarwinds collector. Attached is the relevant parts of the 6524 config I am using plus output of some show commands. What is happening is that the NDE is only sending records of the software netflow table which is just the OSPF flows and my telnet session flows. When you look at the output of "show ip cache flow", the hardware table has all the entries I want to export - but they aren't being exported. Have i missed something critical? I have run wireshark on the collector and can see the NDE packets arrive but only with 1-2 flow records for OSPF and Telnet as above. Any help greatly appreciated in advance.
Cisco ME 6524 L3 switch running version 12.2(33)SXH with PFC3C and MSFC2A
Can you add ip route-cache flow on int g1/31 ?
Also can you add : mls nde interface ?
The Cisco ME 6524 netflow commands are the same as those for the 7600 :
Do you have ingress bridged ip traffic in vlans ?
After enabling those 2 commands, please send along :
show ip flow export
show mls nde
As per my post attachment and config, both of those commands are already done. Here is the output of your requested 'show' commands.
PE1#sh ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : 6
Source(1) 10.24.131.1 (GigabitEthernet1/31)
Destination(1) 10.24.12.34 (2055)
Version 5 flow records
302 flows exported in 210 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to Card not being able to export
PE1#sh mls nde
Netflow Data Export enabled
Exporting flows to 10.24.12.34 (2055)
Exporting flows from 10.24.131.1 (62186)
Layer2 flow creation is disabled
Layer2 flow export is disabled
Include Filter not configured
Exclude Filter not configured
Total Netflow Data Export Packets are:
4558 packets, 0 no packets, 92127 records
Total Netflow Data Export Send Errors:
IPWRITE_NO_FIB = 0
IPWRITE_ADJ_FAILED = 0
IPWRITE_PROCESS = 0
IPWRITE_ENQUEUE_FAILED = 0
IPWRITE_IPC_FAILED = 0
IPWRITE_OUTPUT_FAILED = 0
IPWRITE_MTU_FAILED = 0
IPWRITE_ENCAPFIX_FAILED = 0
IPWRITE_CARD_FAILED = 0
Netflow Aggregation Disabled
My original attachment definitely shows the output you requested but I have done this again for you. The two commands you ask to be input were already in the config so adding them again is superflous. I have removed them and added them again for the sake of it though. Thanks for looking at this.
There is no Vlans being bridged. What is there is an MPLS network on the provider interfaces G1/2 and G1/5, then a customer routed link on G1/31. This means traffic comes in on the customer interface as IP and is then incorporated into a specific VRF and then transmitted via MPLS out of the provider interfaces. I just need to capture the netflow IP data from the customer link and VRF.
Sorry. Also, the command "ip route-cache flow" is superceded in this version and appears in the config as "ip flow ingress".
Let's try netflow sampling to see if it makes any difference :
Router# configure terminal
Router(config)# mls sampling packet-based 64
Router(config)# interface g x/y
Router(config-if)# mls netflow sampling
Done! How does sampling help me though? I already have the data I want in the PFC but it won't export.
Displaying hardware-switched flow entries in the PFC (Standby) Module 1:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi1/31 172.24.4.42 Gi1/2 10.20.16.86 06 0A67 0B97 1918
-- 0.0.0.0 --- 0.0.0.0 00 0000 0000 38K
Gi1/31 172.24.4.22 Gi1/2 10.21.12.65 06 04E0 27BB 292
Gi1/31 172.24.12.16 Gi1/5 172.18.51.173 06 1F90 08A0 7
Gi1/31 10.24.12.36 Gi1/2 172.18.162.180 06 1BE8 C756 189
Gi1/31 172.24.4.22 Gi1/2 192.168.129.65 06 8E14 0401 184
Gi1/31 10.24.4.74 Gi1/5 10.8.51.4 11 6922 441A 517
Gi1/31 10.161.20.172 Gi1/5 172.18.52.167 06 170D 07CB 727
Gi1/31 10.24.4.74 Gi1/5 10.8.54.59 11 691C 7BF8 517
Gi1/31 10.24.12.50 Gi1/2 10.21.12.51 06 FDBD 0185 12
Gi1/31 10.24.4.74 Gi1/2 10.18.99.7 06 07D0 C45A 1
Gi1/31 10.24.131.21 Gi1/5 172.18.53.218 11 0202 0202 62
Gi1/31 10.24.12.36 Gi1/2 172.18.146.180 06 0CEA 1BE8 1
Gi1/31 10.24.12.36 Gi1/2 172.18.114.180 06 1BE8 D1DE 82
Gi1/31 10.24.12.30 Gi1/5 172.18.52.166 06 01BD 0757 7571
Gi1/31 172.24.12.16 Gi1/2 172.18.162.66 06 1F90 0A29 81
Gi1/31 10.24.12.30 Gi1/2 172.18.146.75 06 01BD 062F
I'm asking you to try those, as I am looking to see if we may be hitting a bug.
Can you see if you can type the hidden command :
mls nde export direct
Entered the "hidden" command but it does not appear in the config. results of you requested command -
PE1.STLD#sh mls net table det
Earl in Module 1
Detailed Netflow CAM (TCAM and ICAM) Utilization
TCAM Utilization : 0%
ICAM Utilization : 0%
Netflow TCAM count : 171
Netflow ICAM count : 0
Netflow Creation Failures : 0
Netflow CAM aliases : 0
I will attempt the version 7 change now but have already tried version 9 with no success.
I can change the version with the command "mls nde sender version 7" but am unable to set "ip flow-export version 7" as I am restricted to versions 1, 5 or 9 only.
PS: I am still not receiving the full flow data on my collector.
Your mpls mtu is 1512, when you take a packet capture can you check the packet mtu ? Isnt't the packet mtu 1608 bytes ?
The only other thing I can suspect is that there has been a leak somewhere of packets. NetFlow needs
packets to export. Therefore, the lack of export of packets is a
symptom of the packet leak.
NetFlow could be a cause as well as a symptom or something else could be the cause.
If the mtu doesnt help, gather the show buffers leak and please open a TAC case to troubleshoot this further