Re: Enable IPv6 Cisco Netflow on 6509E VSS

hon-cheong.wong · ‎05-16-2011

Dear all,

Recenetly, I get involved the implmentation IPv6 Cisco Netwflow collector utility to capture the ipv6 netflow data from Cisco 6509E-VSS (Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI5, RELEASE SOFTWARE (fc2)
) infrastructure. In typically, I already add the below command line to the device:

===================================================================================================

ip flow ingress layer2-switched vlan 15,18
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls cef error action reset

ip flow-export source Vlan15
ip flow-export version 5
ip flow-export destination 10.1.15.22 9996

interface Vlan15
ip address 10.1.15.254 255.255.255.0
ip flow ingress
ip flow egress
ipv6 address FD00::15:FE/112

===================================================================================================

As per checking using comand 'show ip cache verbose flow', I cannot foundany IPv6 netflow traffic are being cached in the devices but when I issue another command 'show mls netflow ipv6', I can found the IPv6 netflow being captured in the MLS. By the way, can I know how to export the MLS ipv6 netflow data to the collector utility as I found the exported netlfow seem to be came from flow cache only with the above command. Please advise any additonal command is required to enable this request ?

===================================================================================================

VSS6509#show ip cache verbose flow

-------------------------------------------------------------------------------

Displaying software-switched flow entries on the MSFC in Module 1/5:

IP packet size distribution (606872 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .145 .262 .022 .002 .001 .000 .000 .004 .000 .002 .001 .003 .001 .005

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .543 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
3 active, 4093 inactive, 65858 added
1450667 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33992 bytes
3 active, 1021 inactive, 58516 added, 58516 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow /Pkt     /Sec     /Flow     /Flow
TCP-Telnet         423      0.0        97    45      0.0      28.2      10.6
TCP-WWW              2      0.0         3   116      0.0       4.5      15.6
TCP-SMTP           435      0.0         2    49      0.0       9.1      15.4
TCP-other           51      0.0         1   214      0.0       3.1      15.5
UDP-DNS           3739      0.0         2    60      0.0       9.9      15.5
UDP-NTP          27676      0.0         2    76      0.0       0.0      15.4
UDP-other        29997      0.0         5   103      0.2       0.3      15.4
ICMP              3527      0.0        94 1310      0.5      95.7      14.7
IGMP                 5      0.0         5    40      0.0       0.9      15.5
Total:           65855      0.1         9   761      0.9       6.1      15.4

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk Active
Vl18           10.1.22.68      Local          10.1.14.254     01 00 10     238
0000 /22 0                     0800 /24 0     0.0.0.0              1328   240.2

Vl15 10.1.15.34 Local 10.1.15.254 11 C0 10 1
007B /24 0 007B /24 0 0.0.0.0 76 0.0

Vl18 10.1.22.18 Local 10.1.20.254 06 00 18 246
E5A7 /22 0 0017 /22 0 0.0.0.0 40 76.5

-------------------------------------------------------------------------------

Displaying hardware-switched flow entries in the DFC Module 1/5:
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active

Vl15 10.1.15.254 Vl15 10.1.15.34 11 00 00 1
007B /0 0 007B /0 0 0.0.0.0 0 0.0

Vl18 10.1.22.18 --- 10.1.20.254 06 00 00 0
E5A7 /22 0 0017 /22 0 0.0.0.0 0 0.0

:

VSS6509#show mls netflow ipv6
Displaying Netflow entries in Active Supervisor EARL in module 1/5
DstIP                                   SrcIP
-------------------------------------------------------------------------------
Prot:SrcPort:DstPort   Src i/f          :AdjPtr
Pkts        Bytes       Age LastSeen   Attributes
------------------------------------------------------------------------------------------
FD00::18:29                             FD00::18:FE
icmp:1               --               :0x0
360         49626       1598 19:39:15   L2 - Dynamic
FE80:12::C5A9:DE9E:95D6:17BB            FE80::AEA0:16FF:FE0A:61C0
icmp:136             --               :0x0
33          2112        1593 19:39:11   L2 - Dynamic
FEC0:0:0:FFFF::2                        FD00::18:28
udp :65351 :dns       --               :0x0
0           0           131 19:37:30   L3 (IPv6) - Dynamic
FD00::18:29                             FE80::AEA0:16FF:FE0A:61C0
icmp:135             --               :0x0
32          2304        1593 19:39:12   L2 - Dynamic
FD00::18:28                             FE80::AEA0:16FF:FE0A:61C0
icmp:136             --               :0x0
1           72          43   19:38:51   L2 - Dynamic
FEC0:0:0:FFFF::2                        FD00::18:28
udp :65165 :dns       --               :0x0
0           0           43   19:38:59   L3 (IPv6) - Dynamic

Laurent Aubert · ‎05-16-2011

Hi,

Please find below the config guide regarding Netflow for IPv6:

http://www.cisco.com/en/US/docs/ios/12_2sr/12_2srb/feature/guide/nfv6xsrb.html

Basically, it works only with Netflow v9

HTH

Laurent.

hon-cheong.wong · ‎05-16-2011

Thanks Laurent in advanced for such fast reply. In additonal to the command applied to the device, I already add the following command to the 6509E last week

==========================================================================================================

ipv6 unicast-routing

ip flow-export version 9

==========================================================================================================

But there is still no IPv6 netflow information to be occured in command 'show ip cache flow' and exported to the Netflow collection (which claimed supported IPv6). Do any additonal command needed to input? Please advise.

==========================================================================================================

VSS6509#show ip cache flow

-------------------------------------------------------------------------------

Displaying software-switched flow entries on the MSFC in Module 1/5:

IP packet size distribution (187 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .631 .368 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 123 added
1981 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33992 bytes
2 active, 1022 inactive, 123 added, 123 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes Packets Active(Sec) Idle(Sec)
--More--         --------         Flows     /Sec     /Flow /Pkt     /Sec     /Flow     /Flow
UDP-NTP             67      0.0         1    76      0.0       0.0      15.4
UDP-other           54      0.0         2    54      0.0       0.6      15.4
Total:             121      0.0         1    62      0.0       0.3      15.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Pkts
Vl15          10.1.15.12      Null          224.0.0.252     11 D9EF 14EB     2
Vl15          10.1.15.12      Null          224.0.0.252     11 C0DB 14EB     2

-------------------------------------------------------------------------------

Displaying hardware-switched flow entries in the DFC Module 1/5:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Vl15             10.1.15.33       ---              10.1.15.254     11 007B 007B     0
Vl15             10.1.15.12       Vl15             224.0.0.252     11 C0DB 14EB     2
Vl15             10.1.15.254      Vl15             10.1.15.10      11 EB21 00A2     1
Vl15             10.1.15.254      Vl15             10.1.15.22      11 CA0C 270C     3
Vl15             10.1.15.254      Vl15             10.1.22.18      11 CA0C 270C     3
--               0.0.0.0          ---              0.0.0.0         00 0000 0000   142
Vl15             10.1.15.31       ---              10.1.15.254     11 007B 007B     0
Vl15             10.1.15.254      Vl15             10.1.15.31      11 007B 007B     1
Vl15             10.1.15.254      Vl15             10.1.15.89      11 EB5F 00A2     1
Vl15             10.1.15.12       Vl15             10.1.15.255     11 008A 008A     5
Vl15             10.1.15.254      Vl15             10.1.15.33      11 007B 007B     1
Vl15             10.1.15.12       Vl15             10.1.15.255     11 0089 0089     7
Vl15             10.1.15.12       Vl15             224.0.0.252     11 D9EF 14EB     2

==========================================================================================================

Laurent Aubert · ‎05-16-2011

Here is the template you should have:

ipv6 unicast-routing

mls flow ipv6 {destination | destination-source | full | interface-destination-source | interface-full | source}

mls nde sender

ip flow-export version 9

ip flow-export destination x.x.x.x

Thanks,

Laurent.

hon-cheong.wong · ‎05-17-2011

The following command has already applied to the device, but I can still found no IPv6 netflow data to be existed in command 'show ip cache flow' output. Is there any command or method to check whether C6509-VSS has already export the IPv6 netflow data to the collector ?

===================================================================================================

ip flow ingress layer2-switched vlan 15,18
ipv6 unicast-routing

mls aging long 64
mls netflow interface
mls flow ip interface-full
mls flow ipv6 full
mls nde sender
mls cef error action reset

interface Vlan15
ip address 10.1.15.254 255.255.255.0
ip flow ingress
ip flow egress
ipv6 address FD00::15:FE/112
ipv6 enable
!
!
ip flow-export source Vlan15
ip flow-export version 9
ip flow-export destination 10.1.15.22 9996
!

===================================================================================================

Thanks in advances.

HC Wong

Laurent Aubert · ‎05-17-2011

Here are the command you can use:

sh mls net ipv6 - to see statistics for ipv6 netflow
sh mls nde  - to check v9 is used as the export format

I assume sh ip cache flow is only for IPv4. Also please check your collector supports Netflow v9

HTH

Laurent.

hon-cheong.wong · ‎05-23-2011

As check using command 'sh mls nde' and capture the netflow data using wireshark, the C6509E is confirmed to issue Netwflow version 9 data to the collector.

VSS6509#show mls nde
Netflow Data Export enabled
Exporting flows to 10.1.15.22 (9996) 10.1.15.12 (9996)
Exporting flows from 10.1.15.254 (52212)
Version: 9
Layer2 flow creation is enabled on vlan 15,18
Layer2 flow export is enabled on vlan 15,18
Include Filter not configured
Exclude Filter not configured
Total Netflow Data Export Packets are:
    578 packets, 0 no packets, 1109 records
Total Netflow Data Export Send Errors:
        IPWRITE_NO_FIB = 0
        IPWRITE_ADJ_FAILED = 0
        IPWRITE_PROCESS = 0
        IPWRITE_ENQUEUE_FAILED = 0
        IPWRITE_IPC_FAILED = 0
        IPWRITE_OUTPUT_FAILED = 0
        IPWRITE_MTU_FAILED = 0
        IPWRITE_ENCAPFIX_FAILED = 0
        IPWRITE_CARD_FAILED = 0
Netflow Aggregation Disabled

So far, as looking from Wireshare data capture, I cannot found any IPV6 Netflow data being exported to the collector (I already conduct a IPv6 ICMP ping from access switch to C6509 and using IPERF.exe -V to generate some IPV6 UDP traffic at the same time).

Please advise any command/configure I needed to add in order to enable IPv6 netflow v9 data being exported to the collector. Thanks.

HC Wong

Laurent Aubert · ‎05-24-2011

HI,

Your config looks good. "sh mls nde" shows that the router is exported some data. You can track those packets by connecting to the SP:

1. clear mls stati
2. do 10000 ping from source to destination.
3. run "sh mls stati"  and "sh mls netflow ipv6", if the packets are
hardware switched, we should be able to see it in the output.
4. For v9 netflow packets, we need to run "sh ip flow export" on SP to
check the export status/stats. 
       #remote login switch
   SP#sh ip flow export
5. you may turn on debug in SP to check if the packet been sent out.
     #remote login switch
    SP# debug ip flow export

also by default, an on-going flow (like continuous ping) will be exported every 36mn and you will not see the flow itself in the netflow packets but only some stats and infos regarding the flow in the payload.

Again, make sure your collector supports Netflow V9 and IPv6.

There are also some restriction associated to IPv6 support for Netflow on this box. Following is not supported:

Aggregation support (ip flow-aggregation cache command)
Export of Layer 2 switched IPv6 flows
Netflow and NDE sampling
NDE filter support
traffic not forwarded in HW

HTH

Laurent.