12-14-2010 06:59 AM
I am running a Catalyst 6504 with sup32 and pfc3b/msfc2a on native IOS 12.2(33)SXI5.
I'm trying to export all netflows as v9 since I have to depend on netflow for IPv6 too.
As collector I'm running nfcapd version 1.6.1.
My problem is that I have some flows that don't show up in the nfcaps but which I can see on the 6504.
core1#sh ip cache flow | incl 22B8
Vl3000 **.***.141.20 Vl3001 **.**.25.7 06 22B8 9402 15K
Vl3000 **.***.141.20 Vl3001 **.**.25.7 06 22B8 D570 20K
These are the two flows I am looking for.
When I look at what got captured there is no trace of these flows.
fbauhaus@sirius:/home/nfdump/nfcap/2010/12/14$ nfdump -r nfcapd.201012141251 -o extended 'host **.**.25.7'
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2010-12-14 12:52:18.876 0.000 TCP **.**.25.7:22 -> **.***.141.20:34456 .AP... 16 1 116 0 0 116 1
2010-12-14 12:52:18.876 0.000 TCP **.**.25.7:22 -> **.***.141.20:34456 .AP... 16 1 116 0 0 116 1
2010-12-14 12:52:23.812 0.000 TCP **.**.25.7:39566 -> **.***.141.20:80 ....S. 0 1 60 0 0 60 1
Summary: total flows: 3, total bytes: 292, total packets: 3, avg bps: 473, avg pps: 0, avg bpp: 97
Time window: 2010-12-14 12:52:18 - 2010-12-14 12:52:23
Total flows processed: 326, Blocks skipped: 0, Bytes read: 16980
Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 516640.3
(I took only this one capture file as example, but it doesn't show up in any other file too.)
Here are the associated parts of the configuration:
ip flow ingress layer2-switched vlan 1,3000-3001
mls netflow interface
mls flow ip interface-full
mls flow ipv6 full
!
interface Vlan1
ip address ***.***.71.26 255.255.255.248
ip access-group 100 in
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ipv6 address ****:****:****:****::/64 eui-64
ipv6 nd ra suppress
!
interface Vlan3000
ip address **.**.24.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ipv6 address ****:****:****:****::/64 eui-64
ipv6 nd ra suppress
!
interface Vlan3001
ip address **.**.25.1 255.255.255.192
ip flow ingress
ipv6 address ****:****:****:****::/64 eui-64
!
ip route **.***.141.0 255.255.255.128 **.**.24.6
!
ip flow-export source Vlan3001
ip flow-export version 9 origin-as bgp-nexthop
ip flow-export destination **.**.25.7 9995
Maybe anyone got an idea what I am missing here.
Best regards
Florian
12-14-2010 11:15 AM
Perhaps because these flows are active, so they're not due to be exported until they're torn down or the flow export timer expires. If that's the case, you could configure:
ip flow-cache timeout [active minutes | inactive seconds]
to force the flow to be exported.
Here's a good explanation, in which it mentions the default flow-cache timer is 30 mins (though I thought it's 15 mins).
http://www.plixer.com/blog/network-problem-resolution/ip-flow-cache-active-timeout-are-you-using-it/
12-15-2010 12:53 AM
I'm sorry, I forgot to mention that I took the example from the 6504 while they where active but they neither appear in my caps even after the flow is not active anymore. And I even got 'ip flow-cache timeout 1' in my config and just forgot to post it here.
But thank you for your reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide