For those of you that haven't seen it, the new Incredible Hulk movie looks freaking awesome. I guess maybe it comes with the territory when you're as geeky as I am but I absolutely love superhero movies. I've probably watched the trailers for this and the new Batman movie a hundred times each...
Of course, in doing so I'm chewing up precious bandwidth and probably causing some of our executives to wonder why their VoIP calls to our other offices are so jittery, but hey, how often does a new Incredible Hulk movie trailer get released? And seriously, our QoS deployment should protect against this - or at least, protect against normal users doing this :)
Anyways, I digress. As you know, one of the cool things that you can do with NetFlow is to measure how much of your network traffic is actually people like me geeking out on superhero movie trailers. I had a situation last week where a company was using Orion and our NetFlow module and they weren't seeing the data that they thought they'd be seeing. Long story short, they were trying to watch the traffic in and out of the ports on one of their core switches. It was a Cisco Catalyst 4503 running IOS and all of the ports were a part of the same VLAN. Most of the traffic never left the subnet - meaning it was all switched traffic. Now, my understanding of NetFlow was that you're only able to see traffic that crosses layer 3 boundaries - i.e. interVLAN or routed traffic. This was also the opinion of the engineer at the Cisco TAC that the comany had been working with so my first reaction had me ready to say that it wasn't possible and move on to the next case.
The company wasn't pleased with this information and really needed the layer 2 traffic detail and I got the impression that I "wouldn't like them when they're angry" so I started digging deeper. I am fortunate enough to know a few of the product managers at Cisco including the PM over NetFlow so I called in a favor to find out if there was any way to do this. I learned several things...
First, on the 4503 running IOS version 12.2(40)SG or later this IS POSSIBLE!!! There are some new commands that I'd never even heard of. Specifically:
ip flow ingress (which we've all probably used before and enables the routed flows)
ip flow ingresslayer2-switched (whoa there hoss - this was totally new to me)
ip flow ingress infer-fields
Once turning on these commands sure enough we started seeing the layer 2 switched traffic via NetFlow. This is totally cool. I was hoping to see it allocated to the port that it went in/out of, but you can get around this by viewing it by either the connected device or using an address group for the connected devices in the case of a downstream switch. Secondly, I also saw that some of the traffic was associcated with the EOBC interface. I'll send a SolarWinds shirt to the first person that adds a comment explaining what this is - and yes I know what it is so I will be verifying the answers :)
Anyhow, I thought this was definitely worth sharing. If you've got any experience with using NetFlow to monitor layer 2 traffic shout it out to the group...