Re: Netflow on a Sup720

mlipsey · ‎05-17-2006

On a sup720 with vlan interfaces, is it possible to monitor with netflow properly?

Right now I am but it doesn't seem that I am getting the full flow of traffic through the vlan interface. Now, I know there is layer2 and layer3 operations and netflow only sees the layer3 operation. My regular interface traffic monitoring on one of the interfaces shows upwards of 500mb of traffic (both directions) but the netflow only shows about 700kb.

That's a pretty hefty difference for it to be all layer2...

Still, there is this command that I have applied that I thought might handle most of the layer2 as well:

ip flow ingress layer2-switched vlan (vlans)

but alas I am still not seeing what I desire. I do hate the " mls netflow sampling" command applied to each vlan interface. We have no physical layer3 interfaces on these switches.

bnidacoc · ‎05-17-2006

I am getting substantial data from netflow on My 6500s/720s. I'll paste out some other commands on ours, I forget the exact commands which finished the puzzle, it was a long time ago.

mls aging long 64

mls aging normal 32

mls flow ip interface-full

Interface command;

ip flow ingress

But I think that "mls flow ip interface-full" and "mls netflow sampling" help complete it.

matthew.mcbride · ‎05-19-2006

Netflow and NDE need to be configured on both the MSFC and the PFC in order to recieve all routed/switched traffic.

To enable netflow collection and NDE on the PFC:

Router(config)# mls netflow

Router(config)# mls flow ip full

Router(config)# mls nde sender version 5

To enable netflow collection and NDE on the MSFC:

Router(config)# interface {vlan vlan_ID}

Router(config-if)# ip flow-export ingress

Router(config)# ip flow-export destination ip_address

udp_port_number

To display the NDE address and port configuration:

Router# show mls nde

Router# show ip flow export

Also, some limitations to netflow collection include:

-In PFC3A mode or with releases earlier than Release 12.2(18)SXE, NDE collects statistics only for routed traffic.

Remove any configurations for netflow sampling to receive all flow data.

I hope this helps.

-m2

mlipsey · ‎06-27-2006

It's taken a while for me to get this straightened out but I finally have it.

The recommendations above are correct but not complete.

So for full netflow information to be exported the following configuration will do it - the caveat is that the NDE process hits the CPU on the router pretty hard:

ip flow ingress layer2-switched vlan

mls aging long 64

mls aging normal 32

mls flow ip interface-full

mls nde sender

ip flow-export source Loopback0 <-(Can be any interface - specifying an interface seems to make it more reliable)

ip flow-export destination

Sample interface config:

interface Vlan1042

description DATABASE

ip address IP/Mask

ip flow ingress <--(Needed to Capture inbound statistics)

ip route-cache flow

Now the problem I have is that the Export process hits my CPU pretty hard; I'm concerned about it so I turned sampling back on which pretty much makes netflow suck.

Any other input is appreciated. It seems that with sampling off taking full netflows I get a CPU utilization of about 20-30% (total) where as with sampling the NDE doesn't really hurt the CPU and I have normal utilization of about 10% (even an untilizied sup720 runs at about 10%).

Why oh why can't the NDE be done in hardware?!?!