7 Replies Latest reply on Feb 20, 2008 2:47 PM by SurreySolar

    Unable to view user's traffic

    lchang

      I have configured netflow on the Cisco Cat 6500 (CatOS and IOS) and the Internet routers. I can see users come up on the list of top endpoints, but when I click on them, all I see for their top conversation is their VLAN's broadcast IP.  I would like to be able to see what they're doing, like going to yahoo, etc... Here's how things are setup:


      #mls  (nde version 7; it doesn't support 5)
      set mls flow full
      set mls nde 10.10.10.10 2055
      set mls agingtime 8
      set mls agingtime fast 8 127
      set mls nde enable


      on MSFC:


      ip route-cache flow (under the VLAN)


      ip flow-export source VlanX
      ip flow-export version 5
      ip flow-export destination 10.10.10.10 2055


      Any suggestions would be much appreciated.


       Lily

        • Re: Unable to view user's traffic

          Setting up net flow for a hybrid 6500 is confusing. While you normally would have to run the command Ip route-cache flow on the msfc, thats not going to give you the correct output.


          When switching packets between VLANs, it doesn't actually traverse the msfc so all your going to get is that vlan traffic. The commands you would run:



          set mls flow full
          set mls nde x.x.x.x 9996
          set mls agingtime 32
          set mls agingtime ipx 32
          set mls agingtime fast 64 0
          set mls nde enable


          MSFC cofig:


          ip flow-export version 5
          ip flow-export destination x.x.x.x 9996


          Once that is completed, you have to add catos portion of the switch to the system manager. So if the msfc is 10.0.0.1, and the swtich is 10.0.0.2, make sure that 10.0.0.2 is added and the the interfaces managed as well.


           Then wait about 3-4 minutes and go to the netflow website, and add Netflow sources, you should be able to see the device and the interfaces sending NDE data to your server. Let me know if that helps.


            • Re: Unable to view user's traffic
              lchang

              I have changed the configs to match what you have given me and have added the netflow sources on the website. On the website, I see the 6509, but it is italicized. When I click on it, there is not traffic coming in on the VLANs.

                • Re: Unable to view user's traffic

                  I am experiencing the same issue with latest netflow module. I opened new case with Orion but they have no clue about it. To prove my point I installed another collector on different machine and I can see all flows including user activities but Orion only shows me more broadcast traffic. I thought I had configured something wrong on 6509 but I am seeing lot more data on another collector so it has to be Orion issue.

                  The case ID is 32668.
                    • Re: Unable to view user's traffic

                      I am experiencing the same issue with latest netflow module. I opened new case with Orion but they have no clue about it. To prove my point I installed another collector on different machine and I can see all flows including user activities but Orion only shows me more broadcast traffic. I thought I had configured something wrong on 6509 but I am seeing lot more data on another collector so it has to be Orion issue.

                      The case ID is 32668.



                      I recommend ensuring that all interfaces for the 6509 are managed by Orion and added into the Orion Network Traffic Analzyer.  If you start collecting data, then the issue was related to not managing the ingress interface, which is requirement for the Orion Network Traffic Analzyer.  You can then remove interfaces from the Orion Network Traffic Analyzer that are not reporting data.