Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1918
Views
0
Helpful
1
Replies

Netflow, Sup2T, v5 export: surprise!

ctimmons
Level 1
Level 1

‎05-01-2012 10:50 AM

I am migrating several Sup720 c65xx platforms to Sup2T.

Our netflow collector (flow-tools) immediately started complaining

about massive numbers of missed flows.

Packet capture reveals that the device will send more than one

series of flowdata with the same "EngineID". 

We'll see flows exported from various DFC-enabled linecards,

with the appropriate slot number as the "EngineID" - all

with the first flow's sequence number starting at 0 and

incrementally increasing as more flows are exported.

The Sup2T will do this too, except, after some number of

flows has been exported, it will start sending _another_

series of flowdata with a new sequence number starting

at 0.

This confuses the collector, which for example, has seen

the supervisor's EngineID send flow sequence number 5000,

and the very next packet contains sequence number 0(!).

Now the collector believes it has lost exports with sequence number 5001

up through the rollover value of the counter - so it reports losing about

4 billion flows.

I don't think this is proper behavior, because the collector

needs to rely on the sequence number for an EngineID

increasing (only) - so that it can determine if it has missed flows (due

to packet loss or other problems on the collector).  On Sup720 you

could get the MSFC flows as v5 and the PFC flows as v7 which

worked fine.  Perhaps both of those flows are being exported from

the same EngineID - but with different sequence number series?

I'm using the "export-protocol netflow-v5" format.  Our netflow

collection infrastructure has been in place for a very long

time and is stable.

Any ideas?

Regards,

-Chris

Labels:
0 Helpful
1 Reply 1

Somasundaram Jayaraman
Cisco Employee
Cisco Employee

‎12-13-2012 03:27 PM 

Version 5 netflow uses a default fixed record-fields.

Remove the flow monitors from all the interfaces

(config)# flow monitor test
(config-flow-monitor)# no  record test
(config-flow-monitor)# default record
(config)# no flow record test

Put back the flow monitors on all the interfaces and you should start seeing data on
collector, please do this and let me know how it goes.

0 Helpful
Customers Also Viewed These Support Documents