Netflow with 6509 & Un-Configured Interfaces

DirtySouth

We recently configured Netflow on a couple of our 6509 core switches. I'm trying to reconcile what I'm seeing in NTA, what is configured on my switches and what I'm reading in Cisco & SolarWinds documentation. I don't think the switches are configured exactly as they should be, but I'd like to get some input.

We initially only wanted to see Netflow data on a single VLAN interface, so I configured "ip flow ingress" on that particular VLAN interface. The strange thing is that I'm seeing Netflow data in NTA on all of the VLAN interfaces, but no physical interfaces. I'm not sure how that is possible since I didn't configure "ip flow XXX" or "ip route-cache flow" on any of those interface VLANs.

Switch Config:

no mls acl tcam share-global

mls aging long 64

mls aging normal 64

mls netflow interface

mls flow ip interface-full

mls nde sender version 5

mls qos map cos-dscp 0 10 18 24 34 46 48 56

mls qos

mls cef error action freeze

!

ip flow-cache timeout active 1

ip flow ingress layer2-switched vlan 902

mls netflow interface

mls flow ip interface-full

ip flow-export source Vlan100

ip flow-export version 5

ip flow-export destination <IP> <Port>

!

My other question is, I don't really want to collect statistics in NPM for VLAN interfaces. I really only care about utilization & errors on physical interfaces. Since I have to be monitoring the VLAN interface in order to use NTA, can I just remove the statistics & availibility monitoring in NPM for each of those VLAN interfaces?

shuth

I don't know about configuring a 6509 but my understanding is you won't receive Netflow data in NTA for a physical interface if that interface is not Layer 3 (doesn't have an IP address) as Netflow is a Layer 3 technology. You will receive the Netflow data for the VLAN sub-interfaces as they are configured with IP addresses. I also believe that if you enable Netflow on a physical interface, it will override the subinterface configuration and collect data from all subinterfaces.

Taken from: NetFlow Subinterface Support; [Cisco IOS Software Releases 12.2 T] - Cisco Systems

Using the NetFlow Subinterface Support feature, you can enable NetFlow on selected subinterfaces using the ip flow ingress command. If you configure the ip flow ingress command on a few selected subinterfaces and then configure the ip route-cache flow command on the main interface, enabling the main interface will overwrite the ip flow ingress command and data collection will start from the main interface as well as all the subinterfaces. In a scenario in which you configure the ip flow ingress command and then configure the ip route-cache flow command on the main interface, you can restore subinterface data collection by using the no ip route-cache flow command. This configuration will disable data collection from the main interface and restore data collection to the subinterfaces you originally configured with the ip flow ingress command.

Regarding the VLAN statistics/availability, I can only think of the following:

- VLAN statistics collection.

You can disable the collection of interface statistics (traffic utilisation, etc) on a per interface basis in the List Resources configuration window. This may affect the utilisation stats of the interface in NTA.

1. 1. 1. Either via the Node Details page or Manage Nodes, locate the node and click List Resources.
      2. Find the interface and expand the tree by clicking on the + symbol.
      3. Uncheck the box for "Interface Traffic Statistics". (Physical interfaces also list Interface Error Statistics here as well but I don't believe VLANs will).

- Availability monitoring.

A Solarwinds representative will have to confirm this but I don't believe it is possible to disable the availability monitoring of an interface without making it unmanaged. I think NTA will generate an event saying the node is unmanaged but I don't have anything available to test this with. You could set the interface as unpluggable by editing the interface in Node Management and selecting "Display interface as unplugged rather than down". This won't generate an alert if the interface goes down. On the same settings page, you could also lengthen the time in between polling for availability (up to 32767 seconds, just over 9 hours).

If there is an easier solution to the VLAN statistics/availability monitoring I would also be interested.