Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Netflow on 6500 with SPA module


     I am trying to monitor ingress traffic on a 6509 with a SPA module configured in a crypto connect manner.

The captured traffic is still encypted which does not show any detailed analysis.

Does anyone know how to get to the unencrypted traffic eminating from the tunnel side ?


Netflow on 6500 with SPA module

Have you tried enabling NetFlow on the interface that forms the tunnel source and on the interface wehere the tunnel terminates? That should capture traffic prior to encyryption and help with some analysis.

Don Thomas Jacob

NOTE: Please rate and close questions if you found any of the answers helpful.

Regards, Don Thomas Jacob Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Netflow on 6500 with SPA module

Adding this here in the hope that a broader audience can help:
The  default behavior of NetFlow  is that when you enable NetFlow on the  physical interface associated  with a tunnel, the packets are captured  before encryption and you will  be able to see the details of the IP  conversation. You can capture at  either the tunnel source or  destination to see packets either before  encryption or after  decryption.

I am not sure why the behavior will be  different with  SPA. But here is what I think could be a possible  explanation (I could  be wrong and so you may want to verify) (source:

Overview of the IPsec VPN SPA

The IPsec VPN SPA is a Gigabit Ethernet IP Security (IPsec)   cryptographic SPA that you can install in a Catalyst 6500 Series switch   to provide hardware acceleration for IPsec encryption and decryption,   generic routing encapsulation (GRE), and Internet Key Exchange (IKE)  key  generation.

Note Software-based IPsec features are not supported in any Cisco IOS releases that support the IPsec VPN SPA.

The traditional software-based implementation of IPsec in Cisco IOS   supports the entire suite of security protocols including  Authentication  Header (AH), Encapsulating Security Payload (ESP), and  IKE. The  resources consumed by these activities are significant and  make it  difficult to achieve line-rate transmission speeds over secure  virtual  private networks (VPNs). To address this problem, certain  platforms with  large VPN bandwidth requirements support  bump-in-the-wire (BITW) IPsec  hardware modules in conjunction with the  hardware forwarding engines.  These modules off-load policy enforcement,  as well as bulk encryption  and forwarding, from the route processor  (RP) so that it is not required  to look at each packet coming through  the switch. This frees up  resources that can be used for session  establishment, key management,  and other features. The IPsec VPN SPA  provides a bump-in-the-wire (BITW)  IPsec implementation using virtual  LANs (VLANs) for a Catalyst 6500  Series switch.

Note BITW   is an IPsec implementation that starts egress packet processing after   the IP stack has finished with the packet and completes ingress packet   processing before the IP stack receives the packet.

From the last "Note", I think  BITW implementation  encrypts even before NetFlow captures the raw IP  conversations and so  you still see encrypted traffic with NetFlow and  not the pre-encrypted  traffic like in other tunnel modes.

Can someone confirm if this is true or what does that actually mean?

And then again, I hope the below config may capture the traffic from the 6500 device:

mls netflow

mls nde sender version 7

mls aging long 64

mls aging normal 32 

if you have Supervisor Engine 720:

mls flow ip interface-full

mls nde interface

And then for bridged traffic,

ip flow ingress layer2-switched vlan \\ Iam hoping these two commands will capture the pre - encrypted traffic

ip flow export layer2-switched vlan

And then for the MSFC:

ip route-cache flow  // Execute on all the L3/VLAN interfaces

ip flow-export destination ip_address 2055 // IP address of the NetFlow server

ip flow-export source {interface} // Interface through which NetFlow packets are exported. eg: Loopback

ip flow-export version 5

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

snmp-server ifindex persist

Don Thomas Jacob

NOTE: Please rate and close questions if you found any of the answers helpful.

Regards, Don Thomas Jacob Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.