cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1846
Views
5
Helpful
7
Replies

Netflow with Cisco 6500 and Scrutinizer

mrodryguez
Level 1
Level 1

Hi,

I have a L3 6500 Switch where i wanna enable Netflow Exporter to see reports in Scrutinizer.

I did config below without success:

flow record FLOW-RECORD-1

match interface input

flow exporter Scrutinizer

description Exports to Scrutinizer

destination 10.100.8.176

source Loopback2

transport udp 2055

template data timeout 60

flow monitor netflow-original

description This flow monitor uses the NetFlow original record and exports to S

crutinizer

exporter Scrutinizer

cache timeout active 60

record platform-original ipv4 full

interface Loopback2

ip address 138.228.145.254 255.255.255.255

ip flow monitor netflow-original input

ip flow monitor netflow-original output

interface Vlan3

description BRQOC-LSR0-V# (Alice)

ip address 10.100.38.1 255.255.255.0 secondary

ip address 10.100.1.1 255.255.252.0

no ip redirects

ip wccp 61 redirect in

ip flow monitor netflow-original input

ip flow monitor netflow-original output

BRQOC-LSR0#sh flow exporter stat

Flow Exporter Scrutinizer:

  Packet send statistics (last cleared 9w6d ago):

    Successfully sent:         40611561              (54983985388 bytes)

  Client send statistics:

    Client: Flow Monitor netflow-original

      Records added:           1428793161

        - sent:                1428793152

      Bytes added:             52865346957

        - sent:                52865346624

Any help will be appreciated!

Regards,

Marcelo

7 Replies 7

Chris McGarrah
Level 1
Level 1

Looks like flows are being sent.  Can you run Wireshark on your Scrutinizer box and see if the netflow traffic is making it there ?

Perfect Chris! I ran Wireshark and the CFLOW protocol is in place. Maybe i have some problems with Scrutinizer config .. I will made a test pointing the flow to Whatsup Gold.

After that i will post the result!

Thank you very much!!

Chris,

As i have mention in previous message, i have CFLOW protocol in Wireshark, but Scrutinizer does not give me reports. I made contact with their Technical Support and they said Scrutinizer configuration is ok. Is that possible my 6509 is sending CFLOW without a correct config?

I still suspect something on the Scrutinizer server side.  Is there a local firewall configured that would prevent the flows from going further than the interface ?

You could also try configuring the 6500 with traditional netflow config as shown on the left side in this example:

http://www.plixer.com/blog/wp-content/uploads/2010/04/Traditional-vs-Flexible-NetFlow1.jpg

This is a little bit simpler config and should give you the same information since you are only using netflow original records in your flexible netflow config?

Out of curiosity, what code level are you running on your 6500 ?

Chris,

I reviewed all my configuration and switch protocol from CFLOW v9 to CFLOW v5. Now it is working!

I want Netflow to have a better troubleshooting of my LAN so i applied it in all VLANs. But just for outside traffic. Do you think i should enable for incoming traffic too?

Generally I would apply it in single direction (ingress in my production network) on all L3 interfaces including SVIs.

So if it is P2P link then one device ingress mean other device egress traffic.

If you enable it in both directions, it will work, but due to double counting (send more flows for same traffic) depend on how you configure it throughout your network.

HTH

Rasika

**** Pls rate all useful responses ****

mrodryguez
Level 1
Level 1

Perfect Rasika!

Thank you very much!

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card