Need help on netflow on 6500 switch

steve switzer · ‎06-10-2011

Hi All

I am currently configuring a 6500 to send data to a stealthwatch xe Netflow device.

I though i has this correctly configured using the following config -

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination (ip add) 9000

On the various interfaces i wish to get flow data from (vlans ) i have put the following -

ip flow ingress

Now until recently i thought i was seeing all the flows but was informed by the support for the device i needed to put in the following -

ip flow-cache timeout inactive 10

ip flow-cache timeout active 1

mls netflow interface

mls nde sender version 5

Now when i do the following command - sh ip flow export - i get this -

Flow export v5 is enabled for main cache

Export source and destination details :

VRF ID : Default

Source(1) x (Loopback0)

Destination(1) x (9000)

Version 5 flow records

51204 flows exported in 13346 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

0 export packets were dropped enqueuing for the RP

0 export packets were dropped due to IPC rate limiting

0 export packets were dropped due to Card not being able to export

Netflow Data Export enabled

Exporting flows to 10.61.236.171 (9000)

Exporting flows from 10.253.34.1 (59187)

Version: 5

Layer2 flow creation is enabled on vlan 1,10,50,197,239,251,253

Layer2 flow export is enabled on vlan 1,10,50,197,239,251,253

Include Filter not configured

Exclude Filter not configured

Total Netflow Data Export Packets are:

0 packets, 0 no packets, 0 records

Total Netflow Data Export Send Errors:

IPWRITE_NO_FIB = 0

IPWRITE_ADJ_FAILED = 0

IPWRITE_PROCESS = 0

IPWRITE_ENQUEUE_FAILED = 0

IPWRITE_IPC_FAILED = 0

IPWRITE_OUTPUT_FAILED = 0

IPWRITE_MTU_FAILED = 0

IPWRITE_ENCAPFIX_FAILED = 0

IPWRITE_CARD_FAILED = 0

Netflow Aggregation Disabled

•a. Is this working correctly ?
•b. If so why do i see nothing when i do a - show mls nde

Flow export v5 is enabled for main cache

I think you will agree that looks ok

However when i do this co mmand - sh mls nde - i get this -

Netflow Data Export enabled
Exporting flows to x (9000)
Exporting flows from x (59187)
Version: 5
Layer2 flow creation is enabled on vlan 1,10,50,197,239,251,253
Layer2 flow export is enabled on vlan 1,10,50,197,239,251,253
Include Filter not configured
Exclude Filter not configured
Total Netflow Data Export Packets are:
0 packets, 0 no packets, 0 records
Total Netflow Data Export Send Errors:
IPWRITE_NO_FIB = 0
IPWRITE_ADJ_FAILED = 0
IPWRITE_PROCESS = 0
IPWRITE_ENQUEUE_FAILED = 0
IPWRITE_IPC_FAILED = 0
IPWRITE_OUTPUT_FAILED = 0
IPWRITE_MTU_FAILED = 0
IPWRITE_ENCAPFIX_FAILED = 0
IPWRITE_CARD_FAILED = 0
Netflow Aggregation Disabled

Now - what i need to know is

•a. Is this working correctly ?
•b. If so why do i see nothing when i do a - show mls nde

If it is ok then why am i seeing nothing coming from the nde - why are there no data export packets ?

We are now heavily invested in this technology for a medium sized organisation and i need to know if this is working correctly

Kind Regards

Steve

jakewilson · ‎06-10-2011

I'm no NetFlow Ninja however, I am a Lancope and Scrutinizer supporter. If you contact us and send a packet capture of the netflow data grams I can take a quick look and let you know what you need to fix.