cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
2
Replies
Highlighted
Beginner

netflow : 6506E IOS 12.2(33)SXJ10 only a small part of data collected

 

Dear All, 

I am not sure if I am correct with my netflow question in this category. But I hope so. 

 

I am running "nfsen" as netflow collector. I am collecting the netflow data from two cisco devices: this is a C2921 as Internet gateway and a WS-C6506-E as central switch with routing module and several routed VLAN's. This 6506 has IOS Version 12.2(33)SXJ10. The netflow graphs for C2921 are looking quite fine. What we are seeing could be what really goes over this router. But if I look at graph of 6506 I see typically less than 5 Mbit which can't be true in a network of hundred of users and a lot of servers. I made some tests between two routed VLANs with "iperf" and netflow shows less than 0.1% of the reported throughout. Obviously I made something wrong with the cisco configuration. 

 

These are the relevant part of my config:

global section: 

ip flow-cache entries 128000
ip flow-cache timeout active 1

ip flow ingress layer2-switched vlan 1,25,52,56,80,90,125

mls aging fast time 15 threshold 3
mls aging long 64
mls aging normal 32
mls netflow interface
mls flow ip interface-full
mls flow ipv6 interface-full
mls nde sender version 5
mls sampling time-based 64
mls qos map dscp-cos 40 to 4

 

VLAN interfaces I have for example: 

interface Vlan1
  ip flow ingress
  ip flow egress

 

Finally I have: 

ip flow-export source Vlan1
ip flow-export version 9
ip flow-export destination some.ip.add.ress 10002
ip flow-aggregation cache protocol-port
  cache entries 1024
  cache timeout inactive 300
  export destination some.ip.add.ress 10002
  enabled
!
ip flow-top-talkers
  top 50
  sort-by bytes

 

 

Any help is welcome.

 

Kind regards 

Hans 

 

 

2 REPLIES 2
Highlighted
VIP Advisor

Hi there,

Ah nfsen, a great product!

 

Looking at your config I would try reverting the cache timeout value to default (30 minutes). You already have configured an above default cache size, so timing active flows out after one minute seems excessive and may be where you hare losing the data.

!
no ip flow-cache timeout active 1
!

cheers,

Seb.

 

Highlighted


Dear Seb,
I tried. But unfortunately it didn't solve this issue.

// Hans