Issues with IPv6 Flexible Netflow after IOS upgrade

Nikolaos Milas · ‎06-03-2015

Hello,

I am posting this issue here, as - I hope - a more suitable subject area, because my questions at:

https://supportforums.cisco.com/discussion/12519461/3825-issues-after-ios-upgrade-cpu-netflow

have remained unanswered so far.

To cut a long story short, I have upgraded two routers 3825 from Version 12.4(9)T2 to 12.4(24)T8 (Advanced Enterprise).

Following this upgrade, my classic IPv6 netflow (v9) exporting would not work anymore.

Switching to IPv6 Flexible Netflow (FNF) did not produce the expected results: traffic and packets (but not flows) are "magnified" by an estimated factor of about 100K. That is, IPv6 traffic that is really around 1000 packets/sec and 100 Kbps appears as: 100 M packets / sec and 10Gbps respectively.

I have been obliged to stop (at least temporarily) IPv6 recording, because it distorts real traffic graphs (data is collected and graphs are generated by nfdump/nfsen).

Until now, I have not been able to find a solution. If someone can advise, I will appreciate it.

       flow exporter IPv6
         destination 195.251.xxx.xxx
         source Loopback0
         transport udp 9995
       
       flow monitor IPv6
         record netflow ipv6 original-output
         exporter IPv6
         transport udp 9995

And on the interfaces:

      ipv6 flow monitor IPv6 input

Perhaps the "record" statement should be configured differently? If so, how?

What may be wrong?

Please advise.

Thanks in advance,
Nick

Nikolaos Milas · ‎06-03-2015

It finally worked (IPv6 FNF). I had to configure a user-defined record, because the pre-defined records would not produce correct results, as I described in my earlier posts, for reasons I have not been able to find.

Here is the working configuration:

   flow exporter IPv6
     destination 10.10.10.10
     source Loopback0
     transport udp 9995
   !
   !
   flow record ipv6_record
     match ipv6 protocol
     match ipv6 source address
     match ipv6 destination address
     match transport source-port
     match transport destination-port
     match flow direction
     collect routing source as
     collect routing destination as
     collect ipv6 dscp
     collect ipv6 source mask
     collect ipv6 destination mask
     collect transport tcp source-port
     collect transport tcp destination-port
     collect transport tcp flags
     collect interface input
     collect interface output
     collect counter bytes
     collect counter packets
     collect timestamp sys-uptime first
     collect timestamp sys-uptime last
   !
   !
   flow monitor IPv6
     record ipv6_record
     exporter IPv6
   !

and on all IPv6-enabled router interfaces:

    ipv6 flow monitor IPv6 input

All the best,
Nick

Nikolaos Milas · ‎08-05-2015

Update:

Unfortunately, after some weeks, the problem started to occur again (without any configuration changes, as far as I can remember).

Based on info from:

http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/configuration/guide/12_2sr/fnf_12_2_sr_book/cust_fnflow_rec_mon.html#wp1061219

...I changed it to:

flow exporter IPv6
 destination 10.10.10.10
 source Loopback0
 transport udp 9995
!
flow record ipv6_record_cisco1
 match ipv6 destination address
 collect ipv6 protocol
 collect ipv6 source address
 collect transport source-port
 collect transport destination-port
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
flow monitor IPv6_cisco1
 record ipv6_record_cisco1
 exporter IPv6

...and on all IPv6-enabled router interfaces:

ipv6 flow monitor IPv6_cisco1 input

and things are running smoothly (at least for now).

I hope the above might help someone who is having a hard time as I did.

Nick