Search 85,811 posts and 651 resources contributed by 43,478 members or post a topic.

Already Joined? Sign in
Not getting all flows from cisco 6509.

Page 1 of 1 (11 items) | RSS

rated by 0 users
Answered (Not Verified) This post has 0 verified answers | 10 Replies | 0 Followers | 708 Views


6 Posts
Points 21
joe3231 posted on Wed, Jun 24 2009 10:24 PM
rated by 0 users

I am not getting all flows from cisco 6509. www traffic is not showing in charts. Could it be the IOS version issue or the config issue?

 

cisco 6509, running IOS Version 12.1(11b)E12, Sup 2

following commands are configured
ip flow-export source GigabitEthernet1/1
ip flow-export version 5
ip flow-export destination 10.0.100.14 2055
mls aging long 64
mls aging normal 64
mls flow ip full
mls nde sender

interfaces have ip route-cache flow configured.

The nde sender version on the 6509 only support version 7.

  • | Post Points: 8

All Replies


363 Posts
Points 1,097
Thwack MVP
Donald_Francis replied on Thu, Jun 25 2009 9:47 AM
rated by 0 users

From your config I think you are missing:

mls netflow

As well as possibly:

ip flow ingresss layer-2switched vlan

ip flow export layer2-switched vlan

Donald Francis
Sr. Network Engineer
 The Shaw Group

NPM SLX 3 Pollers 14000 elements
APM SLX 2000 elements
NCM 3000 1300 devices
Netflow SLX 300 interfaces

  • | Post Points: 3

6 Posts
Points 21
joe3231 replied on Thu, Jun 25 2009 10:00 AM
rated by 0 users

I forgot to type in mls netflow in the message. By doing show run, mls netflow doesn't show. I have put in the mls netflow in the config. I am only getting udp, netbios and telnet traffic on the SolarWinds netflow collector but on the 6509 netflow cache I am getting a lot more (ex http). 

The 6509 doesn't support layer 2 netflow. I don't have those command in the IOS.

  • | Post Points: 3

278 Posts
Points 2,466
SolarWinds Certified Professional
Thwack MVP
kweise replied on Thu, Jun 25 2009 10:06 AM
rated by 0 users

The 6509s do support layer 2 netflow, but your version of IOS doesn't.  The layer 2 support didn't show up until 12.3(14)T.

  • | Post Points: 3

6 Posts
Points 21
joe3231 replied on Thu, Jun 25 2009 10:18 AM
rated by 0 users

I can confirm the layer 2 netflow is my IOS version issue. How about the layer 3 netflow? I am getting every on the netflow cache but not all protocol are showing up in the collector. Could it be the NDE version issue? Does SolarWinds support NDE version 7?

  • | Post Points: 3

1,000 Posts
Points 5,477
SolarWinds Certified Professional
Yann replied on Thu, Jun 25 2009 10:38 AM
rated by 0 users

joe3231:
Does SolarWinds support NDE version 7?

No. NetFlow v5 and v9 only.

  • | Post Points: 3

6 Posts
Points 21
joe3231 replied on Thu, Jun 25 2009 10:59 AM
rated by 0 users

What I understand is Netflow version and NDE version is independent. I can have netflow running version 9 while NDE on version 5. Please correct me if I am wrong.

In my case I am running netflow version 5 and NDE version 7.

  • | Post Points: 3

1,000 Posts
Points 5,477
SolarWinds Certified Professional
Yann replied on Thu, Jun 25 2009 11:17 AM
rated by 0 users

It seems to be the same concept as per what I read, only words are different. NDE sender version is used for Catalyst and NetFlow Version for IOS.

on CatOS, it is set using the command mls nde sender version 5/7

on IOS, ip flow-export version 5/7/9

CatOS:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/nde.html#wp1052896

IOS:

http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.html#wp1030098

 

I am not at all a cisco guru so I could be wrong too :).

 

joe3231:
  www traffic is not showing in charts

Are endpoints using proxy for www traffic ? This could explain the issue.

  • | Post Points: 3

6 Posts
Points 21
joe3231 replied on Thu, Jun 25 2009 12:09 PM
rated by 0 users

Here is the example I use from Cisco. 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml

The NDE is for PFC, ip flow-export is for MSFC.

There is no proxy for the www traffic. To make sure the test is accurate I plug in my laptop directly on the 6509 on a physical layer 3 port (not vlan port). 

I found this doc in SolarWinds site

http://www.solarwinds.com/support/Netflow/docs/OrionNetFlowSwitches.pdf

Note: Due to significant differences in the 

availability of the commands required to enable 

NetFlow and NetFlow Data Export, SolarWinds 

does not support the use of Cisco IOS versions 

older than 12.2(18)SXD.

I am running 12.1(11b)E12. Will someone be able to confirm this is the issue I am having.

 

  • | Post Points: 3

1,000 Posts
Points 5,477
SolarWinds Certified Professional
Answered (Not Verified) Yann replied on Fri, Jun 26 2009 5:30 AM
rated by 0 users
Suggested by Elisabeth Zakes

Hi,

I am not sure if this is your issue, upgrading the IOS to the latest version will for sure eliminate the doubt of a too old version.

Here are two steps you could do to further troubleshoot:

1) Use the free tool "NetFlow Real-Time" and review if you are getting different results.

http://www.solarwinds.com/products/freetools/netflow_analyzer.aspx

2) Run a Wireshark trace, decode the packets using the CFLOW protocol parser and check in the PDUs description if you can find HTTP traffic using e.g. the below display filter:

cflow.dstport == 80

 

HTH,

Yann

 

  • Post Points: 3

6 Posts
Points 21
joe3231 replied on Fri, Jun 26 2009 8:34 AM
rated by 0 users

That's pretty cool trick. Let me try it out. Thanks.

  • | Post Points: 1
Page 1 of 1 (11 items) | RSS

© 2003 - 2010 SolarWinds, Inc. All Rights Reserved.

Who is SolarWinds?

SolarWinds is rewriting the rules for how companies manage their networks. Guided by a global community of network engineers, SolarWinds develops simple and powerful network management software and network monitoring software for networks of all sizes. SolarWinds also offers a network certification program to become a SolarWinds Certified Professional (SCP).

What is thwack?

thwack, SolarWinds online community site, was designed by network engineers, for network engineers. thwack is a vibrant, growing community of more than 30,000 IT pros who share a passion for technology.

Explore Resources, Answers, Templates, and Advice

Download Free Networking Tools

Learn More About SolarWinds Products