I've been reading many of the netflow posts online here, but haven't found one that is satisfying this situation. Here are relevant lines (I think) from our 6509 config.
interface Vlan1
ip address 10.1.1.2 255.255.0.0
ip flow ingress
ip route-cache policy
end
All VLANS have "ip flow ingrress", not all have "route-cache policy". Here are the global settings:
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination [OrionIPaddr] 2055
Orion is set-up to monitor the 6509 using 10.1.1.2 IP address, and all VLANs and physical interfaces. I have used show snmp mib ifmib ifindex to verify that the newest VLANs created on the 6509 are being monitored by Orion (that I haven't missed any). We are using Orion 9.1 sp3 and Netflow 3.0sp3. Some IP flow information is verified being reported to Orion.
This is the show ip flow export info:
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 10.1.1.2 (Vlan1)
Destination(1) [OrionIPaddr] (2055)
Version 5 flow records
4942560 flows exported in 216359 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to Card not being able to export
Here is the beginning of sho ip cache flow:
Displaying software-switched flow entries on the MSFC in Module 5:
IP packet size distribution (6372958 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .782 .082 .007 .004 .026 .003 .001 .001 .000 .001 .000 .001 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .001 .001 .078 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 10053212 added
252220025 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33992 bytes
35 active, 989 inactive, 10052402 added, 10052402 added to flow
1622 alloc failures, 198 force free
1 chunk, 7 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 297 0.0 108 41 0.0 15.0 14.8
TCP-FTP 240 0.0 7 56 0.0 1.5 5.5
TCP-WWW 108714 0.0 1 180 0.0 0.0 13.4
TCP-SMTP 293 0.0 123 1156 0.0 2.9 2.6
TCP-X 1 0.0 1 52 0.0 0.0 15.0
TCP-other 4600720 1.1 1 180 1.3 0.0 15.4
UDP-DNS 2710 0.0 1 64 0.0 0.2 15.4
UDP-NTP 68764 0.0 1 76 0.0 0.0 15.5
UDP-TFTP 96 0.0 2 59 0.0 4.2 15.5
UDP-other 99694 0.0 4 102 0.1 4.5 15.4
ICMP 61795 0.0 4 122 0.0 1.9 15.4
IGMP 6 0.0 1 35 0.0 1.9 15.6
GRE 10 0.0 6 131 0.0 4.5 15.7
IP-other 57 0.0 1628 40 0.0 1741.2 1.0
Total: 4943397 1.2 1 174 1.6 0.1 15.3
So you can see that flows are being created. Orion is receiving flow information. for example, from the top-5 Applications:
| Application | Total Bytes | Total Packets | Percent |
| | telnet protocol over TLS/SSL (992) | 12.3 Gbytes | 25.5679 M packets | 59.27% |
But, under top 5 domains, only a single domain -- our internal domain -- is being listed, despite that I know we have cross-domain traffic. There are other informational items that are missing... a huge file (45 MB) was transferred from a VLAN 1 computer to another branch, but that conversation is not showing up under top XX conversations (even though a conversation of just 110KB does make the list).
Does anyone have any idea why some flow data would be respresented, but not all of it?
Thanks, Eric
