For those of you that haven't seen it, the new Incredible Hulk movie looks freaking awesome. I guess maybe it comes with the territory when you're as geeky as I am but I absolutely love superhero movies. I've probably watched the trailers for this and the new Batman movie a hundred times each...
Of course, in doing so I'm chewing up precious bandwidth and probably causing some of our executives to wonder why their VoIP calls to our other offices are so jittery, but hey, how often does a new Incredible Hulk movie trailer get released? And seriously, our QoS deployment should protect against this - or at least, protect against normal users doing this :)
Anyways, I digress. As you know, one of the cool things that you can do with NetFlow is to measure how much of your network traffic is actually people like me geeking out on superhero movie trailers. I had a situation last week where a company was using Orion and our NetFlow module and they weren't seeing the data that they thought they'd be seeing. Long story short, they were trying to watch the traffic in and out of the ports on one of their core switches. It was a Cisco Catalyst 4503 running IOS and all of the ports were a part of the same VLAN. Most of the traffic never left the subnet - meaning it was all switched traffic. Now, my understanding of NetFlow was that you're only able to see traffic that crosses layer 3 boundaries - i.e. interVLAN or routed traffic. This was also the opinion of the engineer at the Cisco TAC that the comany had been working with so my first reaction had me ready to say that it wasn't possible and move on to the next case.
The company wasn't pleased with this information and really needed the layer 2 traffic detail and I got the impression that I "wouldn't like them when they're angry" so I started digging deeper. I am fortunate enough to know a few of the product managers at Cisco including the PM over NetFlow so I called in a favor to find out if there was any way to do this. I learned several things...
First, on the 4503 running IOS version 12.2(40)SG or later this IS POSSIBLE!!! There are some new commands that I'd never even heard of. Specifically:
ip flow ingress (which we've all probably used before and enables the routed flows)
ip flow ingresslayer2-switched (whoa there hoss - this was totally new to me)
ip flow ingress infer-fields
Once turning on these commands sure enough we started seeing the layer 2 switched traffic via NetFlow. This is totally cool. I was hoping to see it allocated to the port that it went in/out of, but you can get around this by viewing it by either the connected device or using an address group for the connected devices in the case of a downstream switch. Secondly, I also saw that some of the traffic was associcated with the EOBC interface. I'll send a SolarWinds shirt to the first person that adds a comment explaining what this is - and yes I know what it is so I will be verifying the answers :)
Anyhow, I thought this was definitely worth sharing. If you've got any experience with using NetFlow to monitor layer 2 traffic shout it out to the group...
Flame on...Josh
I believe the EOBC is the ethernet management interface on the switch.
Dude,
That was fast. Yes, it's the "Ethernet Out of Band Controller" which is effectively the ethernet management interface. E-mail me your address and shirt size - headgeek@solarwinds.com
Josh
Aww man, didnt think of trying that on the4500. I need to update the IOS on it. Weve been using it on the 6500 RE:
www.cisco.com/.../products_configuration_example09186a0080721701.shtml
and I'm thinking of setting up monitoring the view the load balancing coming out of our ACE Module. In our data center, I now have the Cisco AVS on the head-end pointing to the ACE module which is load balancing two Peoplesoft web servers and want to play with some ways to view the traffic. For the app monitor I think it would be good to post some sample logon scripts to logon to some of the popular ERP type systems such as Oracle, Peoplesoft, Sharepoint,etc.
I should've also mentioned that in addition to upgrading the IOS on the 4500 we also had to replace the SUP-2 with a SUP-IV and ad a NetFlow services card. I believe that with a SUP-V you can skip the extra daughter card.
The SUP-V supports netflow with a daughter card however the SUP-V-10GE supports netflow onboard. Also the new SUP-6 does not support netflow even with a daughter card :(