Csr1000v netflow source IP
I have 3 CSR's setup and working. Trying to get netflow to work. One works just fine but the other two aren't. Same configuration across the board, destination IP, source interface etc. The two that don't work look like they are pulling a source IP address off an interface that isn't the specified one:
Flow Exporter nflow:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 172.17.195.95
Source IP address: Public IP on Gig 3
Source Interface: GigabitEthernet1
Transport Protocol: UDP
Destination Port: 2055
Source Port: 52340
DSCP: 0x0
TTL: 255
Output Features: Used
interface GigabitEthernet1
description management
vrf forwarding MGMT
ip address 172.17.195.199 255.255.255.0
negotiation auto
I have removed and reconfigured it numerous times but it will not stop grabbing the public ip assigned to a totally different interface. You can't specify anything but the source interface in the exporter config:
flow exporter nflow
destination 172.17.195.95
source GigabitEthernet1
transport udp 2055
template data timeout 60
Hello Syed,
without 'Run on all nodes' option, the call wil originate from the 1st node of the device pool assigned to SIP trunk.
With Run on all Active Unified CM Nodes enabled, outbound SIP trunk calls originate from the same node on which the inbound call (for example, from a phone or trunk) is received.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/8x/uc8x/trunks.html#wp1123026
//Suresh
Please rate all the useful posts.
Similar Messages
-
Is it possible to make a VRF as a NetFlow and SNMP traps source on 12.2SR IOS release?
Hi,
As you specify the source-interface, just put this interface in a VRF and it should be fine.
I made a quick test for SNMP and it's working. I used the snmp-server trap-source command.
HTH
Laurent. -
How netflow works with ASA Firepower and Virtual Defense ?
Hi,
In the discovery rules of the Virtual Defense, i can see that's it's possible to configure netflow source. I have a pair of Cisco 4500X as the core switch L3, and would like to send a flow to the IPS.
I configure the switch like that :
flow record IPV4-FLOW-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input
collect interface output
collect counter bytes long
collect counter packets long
flow exporter Firepower
source Vlan12
destination IP_OF_tHE_ASA_IPS_MODULE
flow monitor IPV4-FLOW
exporter Firepower
cache timeout inactive 30
cache timeout active 60
cache entries 1000
record IPV4-FLOW-RECORD
vlan configuration 100-102 ip flow monitor IPV4-FLOW input
It's the correct configuration ? Can't see how to check in Virtual Defense if it's receive netflow packetsSOLUTION!
Install a second NIC bind vmnet0 to eth1 instead of eth0
Details:
Goal was to have the Host OS (Ubuntu 8.04) which is running an Apache web server also serve as an e-mail gateway (SpamTitan) since on a heavy day the web server might hit 5% CPU.
Why but a whole new machine, right?
When it did not work right away I went into troubleshooting mode and tried several different things as mentioned above. Which led me to the idea to create my own VM of SpamTitan and bind it to a different NIC.
Before I went that far I tried reassigning vmnet0 from eth0 to my newly installed eth1 and running it. That seems to have done the trick!
So now the setup is:
eth0 192.168.2.4
eth1 192.168.2.5
vmnet0 192.168.2.6
With vmnet0 bridged to eth1
Why is it working now and not before?
I am unsure. It is not a Linux thing because I tried both Windows XP and OS X 10.5 with the same result. I think it has more to do with primary network and associated services than Host OS.
If anyone has any insight please let me know. Otherwise I am going to chase it down later.
Thanks again for your responses! -
AVC, Netflow and Flexconnect APs
Hi all,
I have few questions - if anybody was solving the same problem.
My situation : few branches with Flexconnect APs (in every of them). APs are set for some SSIDs as locally switched (to save WAN connectivity) and some are centrally switched. WLC code 7.4.
I was very looking forward to implement AVC. AVC works fine but only on centrally switched SSID - this is a big problem.
Is there any chance how to export traffic info for locally switched SSID?
I was wondering if LAP can serve as Netflow source (when I'm unable to see AVC data)?
Any idea?
ThnxHI,
First: AVC will not work if you have locally swicthed.
if you checked the local switching under the SSID, then the AP will handle the traffic on its own, without sending the packets to the WLC, hence the WLC does not know what the users are using.
2nd : http://mrncciew.com/2013/02/12/configuring-netflow-on-wlc-7-4/
Reagrds -
Hi,
I have a customer requiring NetFlow data sent to them from the PE router. Is there a way to enable NetFlow only for a specific VRF?Hi Carlos,
Thanks a lot for the response. It is quite helpful. This doc describes a case in which NetFlow is sent to provider collector.
I want the NetFlow source interface and destination collector address are in the same VPN so that it can be sent to the customer collector. Otherwise, because of IP address space overlapping, it's quite complex to 'NAT' addresses to get to the customer destination via the backbone netowrk.
Thanks again. -
Netflow not reporting Egress traffic on 6509 Vlan
Hi...
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.
Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)?
I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10
Below is a show run | inc flow
ip flow-cache timeout active 1
ip flow ingress layer2-switched vlan 9,10
mls netflow interface
mls flow ip interface-full
interface vlan 9
ip flow ingress
ip flow egress
interface vla 10
ip flow ingress
ip flow egress
ip flow-export source vlan11
ip flow-export version 9
ip flow-export destination 10.10.10.10 2055
All help is appreciated.
ThanksHi,
So if I want to capture traffic out only one specific interface is there any option to do that in catalyst 6500.
If I made only that specific interface in another vlan and if under the interface vlan , I give "ip flow ingress" will this capture the outgoing traffic through the interface while it is doing intervlan routing. Also is it must to give ip address in that vlan interface ? Please clarify. -
Looking for a Cisco config doc that talks at Netflow reporting via SNMPv3.
We have serveral routers (7600) that do not support Netflow (only on flexwan card), so our plan is to use SNMPv3 reporting.
I have a Cisco Netflow document reporting via SNMPv2c but cannot find any good examples using SNMPv3.
Thanks
FrankHello Racquel,
You cannot explicitly view netflow messages within MARS. Once the MARS starts to see a flow of netflow messages it will collect and collate the information for 7 days (including a weekend). This will then produce a baseline for this netflow source. After 7 days MARS will switch from collecting to monitoring. In monitoring state MARS will, using predefined internal metrics, determine if newer netflow records indicate exceptional traffic. If this is the case, then the MARS will generate an incident on the GUI. Over time, the MARS will adjust the baseline values using the received netflow records.
If you select to store IOS or ASA netflow records (admin -> system setup -> netflow configuration), then the records will be written to the internal database and archived (if configured). This will impact disk usage but would mean that if you needed to recover the MARS from archive after failure (re-image or RMA) then you could recover the baseline settings. Also, if you write them to disk, you can then export the raw netflow records to a file (admin -> system maintenance -> retrieve raw messages), but you need will to provide some external means of processing them.
Matthew -
What is "Source ID" in Netflow V9 Packet Header
Hi,
My question is regarding the "Source ID" field that appears in Netflow V.9 packet header. Following Cisco link (http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.pdf) gives Source ID definition as -
"The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device."
I am using "Source ID" (combined with template id) to uniquely identify options templates exported by different routers. At our new lab setup where we have more than one routers configured to export Netflow, I observed that all the routers were exporting "Source ID" value as "0"(zero). It failed my assumption that I had formed based on definition from above Cisco doc.
I assumed -
SourceID Template Id Unique Key
source1 256 source1-256
source1 257 source1-257
source2 256 source2-256
source3 258 source3-258
But, I observed
SourceID Template Id Unique Key
0 256 0-256
0 257 0-257
0 256 0-256
0 258 0-258
Thus, same template id(256) from different routers(source1, source3) eventually form same unique key and breaks my code.
I would like to know if my interpretation that Source ID can be used to uniquely identify templates in this manner is correct or not ?
Is "Source ID" user configurable attribute ? How does it comply to the definition given in above Cisco doc ?
Thanks,
DeepakDeepak,
Consider these quotations from the same RFC 3954:
Section 2: Terminology:
Observation Point
An Observation Point is a location in the network where IP packets
can be observed; for example, one or a set of interfaces on a network
device like a router. Every Observation Point is associated with an
Observation Domain.
Observation Domain
The set of Observation Points that is the largest aggregatable set of
flow information at the network device with NetFlow services enabled
is termed an Observation Domain. For example, a router line card
composed of several interfaces with each interface being an
Observation Point.
Section 7: Template Management:
A NetFlow Collector that receives Export Packets from several
Observation Domains from the same Exporter MUST be aware that the
uniqueness of the Template ID is not guaranteed across Observation
Domains.
Section 9: The Collector Side:
At any given time the Collector SHOULD maintain the following for all
the current Template Records and Options Template Records: Exporter,
Observation Domain, Template ID, Template Definition, Last Received.
Note that the Observation Domain is identified by the Source ID field
from the Export Packet.
So in other words, the Source ID is an identifier of the Observation Domain (and in fact, the IPFIX RFC calls this header field directly as Observation Domain ID). Template IDs are unique per Exporter and per Observation Domain, and if a single Exporter uses multiple templates in its different Observation Domains, the IDs of these templates could overlap even in a single Exporter. Observation Domain IDs (that is, Source IDs) identify only the internal structure of a single Exporter, and no provisions are done to preserve their uniqueness across multiple Exporters - for this, the source IP shall be used.
With respect to whether there can be multiple NetFlow instances on a single router, I am getting a feeling that with decentralized, distributed platforms, multiple linecards in a single router could run their own NetFlow analysis for data that pass through them, so each one provides a separate NetFlow collection. Thus, each linecard or each feature card doing its own NetFlow analysis should be assigned its own unique Observation Domain ID.
If it is not user configurable then system should automatically form the value based on router engine and line card. But what I have observed, at more than one routers, is that this value is always 0(zero).
I believe this is strongly dependent to the hardware construction of the router. As a remotely-related example, old 2600 series routers had two WIC slots. If you inserted two WIC-2T modules into these slots, you'd expect that they would be numbered Serial0/0, Serial0/1, Serial1/0, Serial1/1. Very surprisingly, however, these routers considered both slots to be internally connected to a single bus, and the interfaces were named Serial0/0, Serial0/1, Serial0/2 and Serial0/3 - as if they all were installed in a single slot '0'. Something similar may happen to the Observation Domains and their IDs. You would believe that each single linecard constituted a separate Observation Domain. However, the reality may be different, and the whole router can act as a single Observation Domain to the outside world. It's just the way it is constructed - and programmed.
It is not clear why Cisco doc says that one should use both "Source ID" and "Source IP Address" to properly distinguish between flows.
I think it's a poor wording in the RFC. I think what they want to say is that if you use the duplet <Source IP, Source ID> to distinguish between flows, then you're fine both for multiple flows from the same Exporter, and for multiple flows from different Exporters.
Moreover, isn't "Source IP Address" good enough to distinguish between flows from different sources ?
If an Exporter could truly be partitioned into multiple Observation Domains then the source IP would not be sufficient. I am just making up examples with no real-life backup here, but think of, say, a multi-chassis router with each chassis being one Observation Domain, or each linecard of a distributed switch being a standalone Observation Domain, or one router virtualized to several different contexts and virtual routers, each of them being a unique Observation Domain, reporting about the flows using the same source IP... I think you get the point.
I would put it this way... The existence of Source ID in NetFlow v9 (and Observation Domain ID in IPFIX) allows these protocols to nicely cope with situations in which a single physical device can be partitioned into several Observation Domains and perform independent reporting on them using a single source IP. However, the fact that these protocols have this ability does not mean that each and every device, even a Cisco router/switch, must necessarily make use of it.
Best regards,
Peter -
5508 pair show "Down" as data sources for Netflow
I've setup my 5508s to monitor and export netflow to Cisco Prime Infrastructure but no data populates in the expected tabs. When I check Admin-> Data Sources they show up as "down", while other netflow exporters (ASA1000s I used to test) show as "up". I verified in the WLC CLI that they are exporting flows. Thoughts?
WLC show flow exporter stat:
Exporter-name: CiscoPrime
Total Flows Sent: 69536
Total Pkts Sent: 4021
Total Pkts Dropped: 0
Last Sent Time: Thu Aug 15 15:24:29 2013Hi Marcin,
You are most welcome my friend I think the great NetPros in this thread
offer some excellent tips and strategies for this plan as well as the restrictions
you will encounter moving forward. You will likely want to make the 5508 the
primary controller with an eye on moving away from the 4400 at some point
due to it's EoL and inability to run the latest code versions.
Cheers!
Rob
"Show a little faith, there's magic in the night" - Springsteen -
Can anyone please recommend a good open source netflow analyzer?
Thank you in advance for your suggestions.
Regards,http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6555/ps6601/networking_solutions_products_genericcontent0900aecd805ff72b.html
-
Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register
Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices. I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.
We are running ip services:
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)
-----------------Layer2: ----------------------------------------------
(config)#interface GigabitEthernet1/0/24
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR'
Unsupported match field "interface input" for ipv4 traffic in output direction
Unsupported collect field "interface output" for ipv4 traffic in output direction
---------------- Layer3 ---------------------------------------------
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
------------------------------------ untruncated output ------------------------------
switch(config-flow-record)#collect counter bytes
% Incomplete command.
switch(config-flow-record)#collect counter packets
% Incomplete command.
switch(config-flow-record)#collect flow sampler
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect interface output
switch(config-flow-record)#collect ipv4 destination mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 dscp
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 id
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source prefix
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing destination as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing next-hop address ipv4
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing source as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime first
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime last
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect transport tcp flags
switch(config-flow-record)#exit
switch(config)#flow monitor LIVEACTION-FLOWMONITOR
switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION.
switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
switch(config-flow-monitor)#cache timeout inactive 10
switch(config-flow-monitor)#cache timeout active 60
switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
switch(config-flow-monitor)#exit
switch(config)#interface Vlan197
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#exit
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
-------------------- config it's trying to apply----------------------------
config t
ip cef
snmp-server ifindex persist
flow exporter LIVEACTION-FLOWEXPORTER
description DO NOT MODIFY. USED BY LIVEACTION.
destination <removed private IP address to liveaction server>
source Loopback0
transport udp 2055
template data timeout 600
option interface-table
exit
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
exit
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
exit
interface Vlan197
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface Vlan190
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/13
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/18
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/4
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/3
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/6
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/5
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/23
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/24
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR outputWelcome to the Arch forums. That was an amazing first post. It is refreshing to see a new forum member actually post with as much detail as possible in order to explain the situation. Too often we get people saying things like "I can't get to the internet... why?" as the extent of their post. So thanks.
So I am curious about what the dhcpcd is trying to do. It seems to be trying to soliciting for a ipv6 address, but mentions nothing about in ipv4 address. It is not unfortunately not entirely uncommon for dhcpcd to time out waiting for an ipv6 address that never comes. So are you using ipv6? Do you expect an ipv6 address? I noticed that when you tried to ping the google DNS server, you used their ipv4 address (8.8.8.8). So I am thinking that means you are actually using ipv4.
I wonder if you might be able to poll for just an ipv4 address with dhcpcd. Just run it with -4 and it should disable the ipv6 stuff. You might also want to try dhclient and see what kind of output it gives you. If you are definitely not using ipv6, and it is not offered in your area, you might want to disable it. There are instructions in the wiki on how to do this... but you might want to wait until you establish the issue before doing things like that. -
Netflow is not showing on prime infra 1.2 and also reports are not generating
Hi friends,
I add my router to cisco prime for netflow and configured it by temelate as mentioned by cisco in deployment guide. I got netfloe till last friday but today i am getting anyflow on prime.
second I am not able to generate raw netflow.
how can i removed any device from data sources ifthis is nolonger present there. for better understanding i am also ataching the snapshot.Hi,
Thanks
Yes I have configured the command âaaa accounting exec default start-stop group tacacs+â
As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
Regards,
Vineet -
Hi,
I'm trying to capture an ingress traffic on SVI interface of my Cisco 6506 (WS-C6506-E).
I've enabled NetFlow on the Multilayer Switch Feature Card (MSFC):
ip flow-export source Vlan254ip flow-export version 5ip flow-export destination 172.23.100.21 2055
Enabled NetFlow and NetFlow Data Export (NDE) on the Policy Feature Card (PFC):
ip flow ingress layer2-switched vlan 130mls netflow interfacemls flow ip interface-destinationmls nde sender version 5mls aging fast threshold 127mls aging long 1000mls sampling time-based 512mls cef error action resetmls netflow sampling
and on the monitorable interface:
interface Vlan130 ip address 172.23.170.2 255.255.255.0 ip flow ingress mls netflow sampling standby 1 ip + timers + priority + preempt + authentication
Now I'm trying to see capruted flows. The point is I can't see flow's source address, source and destination port, and L4 protocol for unicast flows:
Cat6506-LAN1#sh mls netflow ipDisplaying Netflow entries in Active Supervisor EARL in module 5DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr-----------------------------------------------------------------------------Pkts Bytes Age LastSeen Attributes---------------------------------------------------172.23.131.5 0.0.0.0 0 :0 :0 Vl130 :0x0202 52554 2 17:04:35 L2 - Dynamic0.0.0.0 0.0.0.0 0 :0 :0 -- :0x013312 6807977 2 17:04:35 L3 - Dynamic172.23.170.64 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:34 L2 - Dynamic172.23.170.123 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:35 L2 - Dynamic224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x02 156 1 17:04:35 Multicast
224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x08 624 6 17:28:03 Multicast172.23.170.181 0.0.0.0 0 :0 :0 Vl130 :0x00 0 5 17:28:03 L2 - Dynamic
The same output info I get on my NetFlow collector.
Anybody know a reason what can prevent of collecting flows correctly?
Thanks.might want to change the flow mask to full instead of destination. I think that should give you the rest of the info. chris
-
Netflow on 6509 in Native Mode from Vlan Interface
I'm trying to get a 6509-E, running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.
2(33)SXI9, RELEASE SOFTWARE (fc2), to send netflow traffic from a vlan interface to a Solarwinds server.
The server is not seeing all the vlan traffic, but does see all the traffic on the layer 2 ports (not netflow).
I've seen that a command, ip flow ingress layer2-switched vlan, needs to be enabled, but the OS I have does not support that command.
Or could it be that MLS is not configured except for a couple commands:
mls netflow interface
mls cef error action reset
netflow setup:
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 10.31.101.1 (Vlan52)
Destination(1) 10.30.2.196 (2055)
Version 5 flow records
14927339 flows exported in 615072 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to Card not being able to export
interface:
interface Vlan52
description AN.VDI.stu
ip address 10.31.101.1 255.255.255.0
ip helper-address 10.31.149.200
no ip redirects
ip flow ingress
ip flow egress
ip pim neighbor-filter 98
ip pim sparse-dense-mode
ip cgmpEnabling MLS was the fix.
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls cef error action reset -
How to: Netflow on a L3 Switch WS-C3560X-48P
Hello Community,
I want to use netflow on our l3 switches. But my configurations dont work.
What is my mistake?
Modell: WS-C3560X-48P
Software Version: 15.0(1)SE3
My Config:
interface vlan 250
ip flow monitor Monitor-FNF input
ip flow monitor Monitor-FNF output
flow record Record-FNF
description Flexible NetFlow with NBAR Flow Record
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect routing next-hop address ipv4
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
flow exporter Export-FNF
description DescriptionTEXT
destination [NetFlow collector IP address]
source vlan50
transport udp 9001
export-protocol netflow-v9
flow monitor Monitor-FNF
description FNF/NBAR Application Traffic Analysis
record Record-FNF
exporter Export-FNF
cache timeout active 60
cache timeout inactive 10Silly question but do you have a network services module installed?
From the documentation: "Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image."
It actually also mentions: "NetFlow analysis is performed on traffic crossing the physical interfaces on the network services module."
Sourced from here: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmnetflow.html
Maybe you are looking for
-
I initial received the msg that Firefox is still running in the background and won't open. I check the Task Mgr and Firefox was not running. My storage is only 50% utilized. I finally reinstall Firefox and the new msg "Could not initialize the applic
-
Just bought new MacBook Pro and can't get FCP Studio to load on it. Any Help!
I just bought a new MacBook Pro and I tried to load FCP Studio on it and it says it does not support it. I use FCP Studio 2 and I need to use it as I don't know FCP X. Any suggestions. I currently have FCP Studio 2 on a 2008 Mac Pro with Maverick on
-
Setting BitmapImage source inside the skin
Hi all As a Flex 4 newbie, I've been banging my head for two days trying do to something that could seem pretty trivial to you (and to me as well at first sight) but lefted me completely clueless... I want to design a fairly simple custom component u
-
Anyone experience "Zap" sound after loading Mavericks
I loaded Mavericks and then Parallels 9 on my MacBook Pro. Immediately following that upgrade, I began to hear at irregular intervals a zapping sound, like an arcing. The sound would immediately proceed some other sound (beep for an event for instan
-
Read out loud, adding audio, access, TeX
I want to prepare online math course material for visually impaired. 1) Best approach seems to be to personally read the material and save/attach audio files to small sections of text. Is this possible with the free Adobe Reader? Is there documentati