Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
0
Helpful
2
Replies

netflow : 6506E IOS 12.2(33)SXJ10 only a small part of data collected

hans-mayer
Level 1
Level 1

‎02-19-2019 05:34 AM - edited ‎03-03-2019 09:00 AM

 

Dear All, 

I am not sure if I am correct with my netflow question in this category. But I hope so. 

 

I am running "nfsen" as netflow collector. I am collecting the netflow data from two cisco devices: this is a C2921 as Internet gateway and a WS-C6506-E as central switch with routing module and several routed VLAN's. This 6506 has IOS Version 12.2(33)SXJ10. The netflow graphs for C2921 are looking quite fine. What we are seeing could be what really goes over this router. But if I look at graph of 6506 I see typically less than 5 Mbit which can't be true in a network of hundred of users and a lot of servers. I made some tests between two routed VLANs with "iperf" and netflow shows less than 0.1% of the reported throughout. Obviously I made something wrong with the cisco configuration. 

 

These are the relevant part of my config:

global section: 

ip flow-cache entries 128000
ip flow-cache timeout active 1

ip flow ingress layer2-switched vlan 1,25,52,56,80,90,125

mls aging fast time 15 threshold 3
mls aging long 64
mls aging normal 32
mls netflow interface
mls flow ip interface-full
mls flow ipv6 interface-full
mls nde sender version 5
mls sampling time-based 64
mls qos map dscp-cos 40 to 4

 

VLAN interfaces I have for example: 

interface Vlan1
  ip flow ingress
  ip flow egress

 

Finally I have: 

ip flow-export source Vlan1
ip flow-export version 9
ip flow-export destination some.ip.add.ress 10002
ip flow-aggregation cache protocol-port
  cache entries 1024
  cache timeout inactive 300
  export destination some.ip.add.ress 10002
  enabled
!
ip flow-top-talkers
  top 50
  sort-by bytes

 

 

Any help is welcome.

 

Kind regards 

Hans 

 

 

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎02-25-2019 12:13 AM

Hi there,

Ah nfsen, a great product!

 

Looking at your config I would try reverting the cache timeout value to default (30 minutes). You already have configured an above default cache size, so timing active flows out after one minute seems excessive and may be where you hare losing the data.

!
no ip flow-cache timeout active 1
!

cheers,

Seb.

 

0 Helpful

hans-mayer
Level 1
Level 1
In response to Seb Rupik

‎02-26-2019 08:31 AM


Dear Seb,
I tried. But unfortunately it didn't solve this issue.

// Hans

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents