Re: Flow Record destination

bobrod68 · ‎08-21-2025

I created a flow record on an edge (access) switch. One of the Port channel physical interfaces has a high utilization (rx load). Several of the top talker flow destinations are not on the switch. But somehow the flow is still on the edge switch. All of the other top talker destination macs I can find on that edge switch. Why is that flow a top talker on my switch when neither the source or destination are on that switch? Also I used input for my flow record on the interface.

MHM Cisco World · ‎08-21-2025

SW can not forward frame it mac not in address table

Except one case which is unknown unicast frame and this frame flood to all port.

For PO change hash and check

MHM

bobrod68 · ‎08-23-2025

I will see what hash we are using and I also need to check the upstream switch (Distro).

Stefan Mihajlov · ‎08-23-2025

@bobrod68

That’s normal behavior. When you apply a flow record with match input on an interface, the switch exports flows for all traffic entering that port, regardless of whether the source/destination live on that switch.

So if a host somewhere else is sending traffic through that edge port (like transit toward another device), your edge switch still “sees” it and counts it as a top talker. That’s why you see destinations that don’t exist locally — the switch is just reporting flows that passed through it.

If you only want to see traffic sourced/terminated on the switch itself, you’d need to refine the record or use filters, but in general NetFlow on an edge device will always include transit flows.

bobrod68 · ‎08-23-2025

I wonder if the transit flow is what is causing the rx load (high utilization) on the edge switch. It is dicom traffic and we have a host that can send and receive dicom traffic. That is really what I am trying to figure out, what is causing the rx load to be high.