04-16-2013 06:45 AM - edited 03-04-2019 07:36 PM
We have Nexus 7000s configured for sampled netflow. We have tools that should reconstruct the sampled flow records for management displays. Most tools require the flow record, option and template to be sent in order to reconstruct the sampled flow record. We have captured some of this traffic and noticed that the template contains "SamplerMode": Unknown (1) [See Nexus 1-1.png]. Is this usual or have we not include commands required for proper operation?
Thanks
Terrence
fearure netflow
flow timeout active 60
flow timeout inactive 15 (default)
flow session
flow timeout agreesive threshold 80
flow exporter flow_exporter
destination x.x.x.x use-vrf management
transport udp 9996
version 9
template data timeout 30
option exporter-stats timeout 30
option sampler-table timeout 60
flow record flow_record
match ipv4 source address
! {many statments}
sampler netflow_sampler-2
mode 1 out-of 100
flow monitor flow_monitor
record flow_record
exporter flow_exporter
interface VLAN 150
ip flow monitor flow_monitor output sampler netflow_sampler-2
Solved! Go to Solution.
04-18-2013 04:03 AM
Hello Terrence,
You are correct regarding "Most tools require the flow record, option and template" and they also require the definitions of all elements used in the export.
We maintain constant communication with Cisco for their latest element IDs and definitions (I.e. description, type, length, etc.). It looks like your collector may need the definitions. Once updated, the front end will then need to be updated to make use of the new element(s) if you want to make use of it.
If you send a packet capture of the flows to Plixer the will give you a more complete diagnosis. Make sure you include the templates.
Please vote if my post answers your question.
04-18-2013 04:03 AM
Hello Terrence,
You are correct regarding "Most tools require the flow record, option and template" and they also require the definitions of all elements used in the export.
We maintain constant communication with Cisco for their latest element IDs and definitions (I.e. description, type, length, etc.). It looks like your collector may need the definitions. Once updated, the front end will then need to be updated to make use of the new element(s) if you want to make use of it.
If you send a packet capture of the flows to Plixer the will give you a more complete diagnosis. Make sure you include the templates.
Please vote if my post answers your question.
04-18-2013 07:32 AM
Jake
Thanks you for the response. The odd thing is that the Nexus device is sending two different SourceId's. I will log on to Plixer and submit the packets for inspection. The captures do have the templates and you will see both SourceId's. Notice my second question in this forum about the netflow SourceID occurance.
Thanks
Terrence
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide