Hi,

I have a Catylyst 6500 with SUP720-PFC3B running version 12.2(33)SXH4. On this switch, I have a VRF configured with 6 vlan interfaces.

I activated Netflow on this witch and configured Netflow on only one vlan interface with the command ip flow ingress. This interface is on VLAN 311 in the following picture :

I observe that a flow initiated upstream of the interface vlan 300 and direcetd to another interface is marked as L3 - Dynamic, which is normal because it is a routed flow form one interface to another interface on different subnets. However, the return packets are marked as L2 - Dynamic !

For instance, a DNS request arriving on interface vlan 311 is seen as a Layer-3 flow, whereas the retrun packet is seen as a Layer-2 flow !

DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f  :AdjPtrPkts   Bytes   Age   LastSeen  Attributes    
---------------------------------------------------------------------------------------------------------------    

10.56.6.222     10.240.3.45     udp :44241  :dns      Vl311    :0x01         69      72    11:15:46   L3 - Dynamic
10.240.3.45     10.56.6.222     udp :dns    :44241    Vl311    :0x00          0      72    11:15:46   L2 - Dynamic

The same observation is valid for TCP flows

My Questions :

• When Netflow is activated in ingress only on only one interface, is it normal to see the return flow ? As far as I understood, a flow is a unidirectional communication and Netflow has not been configured on the the return path. So I wonder whay i see the return flow ?

• Why the return flow is marked as L2 switched flow and not L3 routed ?
  

• Is is a valid statement to say that if I want to see only L3 flows in the Netflow tale, I have to configure ingress Netflow on all the interfaces ?
  

Thank you for any explanations,

Yves Haemmerli