• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 24 subscribers
  • Views 219 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

netflow on 6500 native mode help

kbenton

I'm looking for some pointers from someone who has gotten this working correctly.  The 6509 (native mode) is configured as shown in this page from cisco:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml#confios1
 

I think we are pretty close because I see the flow data I want (userA -> serverB on portC) when running show mls netflow ip [..] - so the pfc/mls side for netflow is set up and collecting as shown on the 6509 itself, but not all of those flows show up in Orion.  I'm specifically looking for a telnet session from a user in vlan A hitting a server in vlan B - that flow is in the data output from show mls netflow, along with many other user connections, same server, same port.  In Orion, all i see for flows on either vlan interface are some bootp and netbios traffic - no tcp traffic at all, and not the flows I see listed in show mls netflow.  I'm not completely missing data, because i get this little dribble of bootp/netbios, but I don't seem to have any of the data from the pfc.  

 

For configuration, we have done everything in the above link for native mode with the exception of the NDE and optional configuration sections.  We did not do the NDE section because the doc says this:

"If you use the NetFlow data collector to store the historical NetFlow traffic, you need to configure the NDE on the Catalyst 6500 Switch."

Since we don't want to store historical netflow data on the switch itself, but instead have Orion store it - we don't need this - or am I reading this incorrectly? 

Is there something I'm missing that would relate to the export of that data over to Orion, and would account for some traffic showing up but not all, even when its in the output of show mls netflow?

 

Thanks for the help!

  • 0

    I'm no 65XX specialist... but it looks like the doc is saying that you can look at the NF data real time using the cli or if you use a collector you need the NDE. Collectors are generally thought of as historical reporters. Whether the collector is historical or real time is a function of the collector, not the exporter (65XX switch).

  • 0 in reply to mcbridea

    We are seeing the same issue, however it's only happening on one of our 6500's. We're seeing all the flows on all configured 6500's, with the exception of one of our 6500's. The configuration has been reviewed numerous times, reread cisco material on netflow. We even performed a NAM (packet capture) of the export itself. Seems all interesting flow info (ie: tcp) is indeed being exported to Orion, but not be properly interpretted by Orion-NetFlow. Rather we're primarily seeing only the UDP traffic as well as traffic that is parsed through ACLs. Hopefully that's a clue. This behaviour is only happening on one of our many 6500s.

  • 0

    This is what i used on all of my 6509s and they appear to be collecting all data:

    ip flow-cache timeout active 1
    !
    mls aging fast time 8 threshold 127
    mls aging normal 32
    mls flow ip full
    no mls flow ipv6
    mls nde sender version 7
    !
    interface Vlan???
     description **???**
     ip address ???.???.???.??? ???.???.???.???
     ip pim sparse-dense-mode
     ip route-cache flow
     ip igmp snooping mrouter interface GigabitEthernet1/48
    !
    interface Vlan???
     description **???**
     ip address ???.???.???.??? ???.???.???.???
     ip pim sparse-dense-mode
     ip route-cache flow
     mls netflow sampling
    !
    interface Vlan???
     description **???**
     ip address ???.???.???.??? ???.???.???.???
     ip helper-address ???.???.???.???
     ip flow ingress
     ip pim sparse-dense-mode
     ip route-cache flow
     mls netflow sampling
    !
    ip flow-export source Vlan???
    ip flow-export destination ???.???.???.???
    !
    end

    mls aging fast time 8 threshold 127
    mls aging normal 32
    mls flow ip full
    mls nde sender version 7

    interface vlanx
    ip route-cache flow

    ip flow-export destination ???.???.???.??? ????
    ip flow-export source vlanx

  • 0 in reply to r0berth1

    I think you are missing the NDE portion.  This command in particular if I get what you are saying.

    MLS NDE SENDER VERSION x

  • 0

    Hi, Can anyone tell me if Solarwinds Netflow is able to support outgoing traffic on the Cisco 6509 please ?

    Thanks, Chris

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.