Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
2
Replies

Sampled netflow from Nexus 7000 questions

Go to solution
twilson
Level 1
Level 1

‎04-16-2013 06:45 AM - edited ‎03-04-2019 07:36 PM

We have Nexus 7000s configured for sampled netflow. We have tools that should reconstruct the sampled flow records for management displays. Most tools require the flow record, option and template to be sent in order to reconstruct the sampled flow record. We have captured some of this traffic and noticed that the template contains "SamplerMode": Unknown (1) [See Nexus 1-1.png]. Is this usual or have we not include commands required for proper operation?

Thanks

Terrence

fearure netflow

flow timeout active 60

flow timeout inactive 15 (default)

flow session

flow timeout agreesive threshold 80

flow exporter flow_exporter

destination x.x.x.x use-vrf management

transport udp 9996

version 9

  template data timeout 30

  option exporter-stats timeout 30

  option sampler-table timeout 60

flow record flow_record

match ipv4 source address

! {many statments}

sampler netflow_sampler-2

  mode 1 out-of 100

flow monitor flow_monitor

    record flow_record

    exporter flow_exporter

interface VLAN 150

ip flow monitor flow_monitor output sampler netflow_sampler-2

Labels:
Preview file
24 KB
Preview file
23 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jakewilson
Level 1
Level 1

‎04-18-2013 04:03 AM

Hello Terrence,

You are correct regarding "Most tools require the flow record, option and template" and they also require the definitions of all elements used in the export.

We maintain constant communication with Cisco for their latest element IDs and definitions (I.e. description, type, length, etc.).  It looks like your collector may need the definitions.  Once updated, the front end will then need to be updated to make use of the new element(s) if you want to make use of it.

If you send a packet capture of the flows to Plixer the will give you a more complete diagnosis. Make sure you include the templates. 

Please vote if my post answers your question.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jakewilson
Level 1
Level 1

‎04-18-2013 04:03 AM

Hello Terrence,

You are correct regarding "Most tools require the flow record, option and template" and they also require the definitions of all elements used in the export.

We maintain constant communication with Cisco for their latest element IDs and definitions (I.e. description, type, length, etc.).  It looks like your collector may need the definitions.  Once updated, the front end will then need to be updated to make use of the new element(s) if you want to make use of it.

If you send a packet capture of the flows to Plixer the will give you a more complete diagnosis. Make sure you include the templates. 

Please vote if my post answers your question.

0 Helpful

Go to solution
twilson
Level 1
Level 1
In response to jakewilson

‎04-18-2013 07:32 AM

Jake

Thanks you for the response. The odd thing is that the Nexus device is sending two different SourceId's. I will log on to Plixer and submit the packets for inspection. The captures do have the templates and you will see both SourceId's. Notice my second question in this forum about the netflow SourceID occurance.

Thanks

Terrence

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card