Enable NetFlow ASA 8.0(5)

HI team
Let me know if the netflow could be enable in the version
Appliance Software Version 8.0(5). (ASA 5550).
Review the document of Cisco mention that this functionality is available in the version 8.1 or supperior.
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html#anchor5
But I need to be sure, please.
I hope your comment/suggestion

No, it is not supported on ASA 8.0(5).
ASA software version 8.1(1) introduced Netflow support for the ASA appliances. The release notes (and approriate section of the command reference) note this explicitly.

Similar Messages

ASA 8.2(5) enable Netflow

Hi,
Running ASA 8.2.(5) with ASDM 6.4(5).
When I try to enable netflow on my <default inspection traffic> policy which is global I get a message saying "only inspect rule actions can be specified for the default inspection traffic". As Netflow can only be applied as a global service policy, I have to use netflow on a global policy, but how do I use my traffic inspection policy then?
Create multiple service policies I apply to each interface or?
According to https://supportforums.cisco.com/docs/DOC-6114 it looks as I can have both at the same time or in the same Global policy ?
Regards
Robert

hmm I seem I can´t create a new class-map with ASDM? I have no option to do that.
Looking at:
https://supportforums.cisco.com/docs/DOC-6113
It says:
Most users will have a global inspection policy so we can just leverage that. It should be noted that we can't use class-default here because we won't generate NetFlow data for anything that is subject to inspection.
Is that not what my original message basicly is saying from ASDM?
Robert

Enabling netflow on a 2504 controller

I just completed setting up a AIR-CT2504-K9 controller with 9 APs with RADIUS on the private WLAN and an open guest WLAN; I want to enable netflow exports to a collector, but see no place in the GUI to do this and no obvious CLI commands.
Could someone please point me in the right direction?
Thanks,
M

Is this what you are looking for?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Enabling Netflow on Production 6500 Core switch

Hi All,
I am looking for a little expert advise regarding Cisco Netflow. For monitoring I need to enable Netflow feature on 6500 core switch or 6500 load balancer with CSM module installed, but I am just concern about the CPU hits on the devices. we are not using any dynamic routing protocols. Can someone please advise how will it effect on the local resources when using Netflow? Is it fine if I enable this feature on these devices in production?
Thanks in advance,

Hi Mudassar,
Enabling netflow will not have a major impact on CPU or memory but you will want to keep a close eye on the switches TCAM utilisation. Features like netflow, TCP intercept and WCCP can use resources from “NetFlow TCAM Table”.
Use the "show mls netflow table-contention detailed" command to monitor TCAM utilisation.
Regards
Brett

Netflow- IOS vs ASA

Hello,
What is difference in-between netflow on IOS and ASA ?
Also I want to know does the Next-Generation ASA, ASA with FirePower - NBAR2 features as available on IOS ISR-G2 ?
or they still use old NSEL feature?
Thanks,

Hi,
I think this would help:-
https://supportforums.cisco.com/document/30471/netflow-asa
Thanks and Regards,
Vibhor Amrodia

Can MPLS aware Netflow ver. 9 be enabled on the catalyst switches 6500

HI, I'm working for KOREA TELECOM, and currently providing MPLS VPN.
We're planning to provide our customer with traffic report using NetFlow..
I read some documents which reads Netflow ver.9 can be enabled on Cisco GSR 12000 Series, but no mention about catalyst switches. So, I ' m curious about that Netflow ver 9 can be activated on catalyst 6500 series.. because the point where switch is located already have mpls encapsulated packet ( mpls vpn packet).
Thank you , in advance.

NetFlow is now integral to Cisco 6500. A configuration we recommend is as below:
mls netflow // This enables NetFlow on the Supervisor.
mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
mls flow ip interface-full
mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan
Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
ip flow egress // This command has to be executed on all the L3/VLAN interfaces.
ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the flow server
ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
ip flow-export version 9
ip flow-cache timeout active 1
snmp-server ifindex persist
The new Cisco Flexible NetFlow actually allows for export of MPLS specific information (I believe it is stack lables) in addition to information on IP Address, port, etc. But you will need a tool that can support these additional fields. Otherwise you can view IP, port, protocol, etc related information from MPLS links.
Regards,
Don Thomas Jacob
ManageEngine NetFlow Analyzer

Cisco Prime Infrastructure 2.0 and ASA 55xx platform problem

Hello,
We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
When I attempt to add ASA's to prime i get the following collection errors:
Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
In the logfile I get the following XML parsing error on the MIB:
<palError>
<deviceId>6284310032</deviceId>
<code>VALIDATION_ERROR</code>
<message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
<result>
    <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
      <xmp-im-file-system-module>
        <MemoryPoolStatistics>
          <memoryPoolIndex>1</memoryPoolIndex>
          <free>4294967295</free>
          <largestFree>4294967295</largestFree>
          <used>3484331296</used>
        </MemoryPoolStatistics>
To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
Regards,
Marcel

Hi,
does anyone happen to know if that problem is fixed? My currently setup looks like this:
1. Cisco Prime Infrastructure 2.1 with updated device pack.
2. Assurance license
3. ASA5510 which has enabled netflow. Netflow is being sent to Cisco Prime 2.1
I do receive netflow raw data within Cisco Prime 2.1 but any graphical display of netflow data is not working. Does anybody has an idea where the problem is? Could it be that the graphical data is only displayed when sending netflow 1, netflow 5 or netflow 7?
regards
Maurus

ASA 5505 VPN HELP!!!

I have two ASA 5505's. One is currently setup as my firewall connected to the Cox Cable modem and wireless AP. I have another ASA that I would like to use, I have an idea that I could set that one up as a VPN unit, but not sure how I could do that. If that is not an option, can you provide the command line instructions on how to setup the VPN via the console cable. I am kinda new and I am slowing trying to become more knowledgeable about this. Any help would be greatly appreciated.
Thanks,
Jon
My current Config:
ASA Version 8.2(3)wn coldstart' comm
!d
hostname Wood-ASA1-if
%ASA-5-111008:
domain-name lv.cox.net the 'inspect ip-optio
enable password 8Ry2YjIyt7RRXU24 encrypted8cb69fe 20cfb60adisk0:/asa823.bin
passwd 2KFQnbNIdI.2KYOU encrypteded the 'service-policy global_pol
namesobal'
!a
interface Ethernet0/0in        ^
switchport access vlan 2%ASA-5-
command.ser 'Con
!S
interface Ethernet0/1ig' executed the 'pro
!t
interface Ethernet0/2mand.tics access-lirv
interface Ethernet0/3 securi
rd DfltAccess
!l
interface Etherne
interface Vlan1ecuted the 'pro
nameif inside' command.omma
security-level 100
%ASA-5-111008: Use
ip address 192.168.1.1 255.255.255.01008: User 'Config' executed the 'no
!t
interface Vlan2 the '
%ASA-5-1
nameif outsidefig' executed t
security-level 0-5-111008: User '
ip address dhcp setrouteination address http http
boot system disk0:/asa823-k8.bing' executed the 'class-map inspe
boot config disk0:/asa823.binom/its/service/oddce/services
ftp mode passivemand. User 'Conf
dns server-group DefaultDNS User 'Config' execut
%ASA-
domain-name lv.cox.netexecuted the 'destinati
object-group icmp-type ICMP-INBOUNDation linkup linkdown coldstart' co
description Permit necessary inbound ICMP trafficand.'policy-map type
%ASA-5-111008: User 'Config'
icmp-object echo-replyon transport-method htt
icmp-object unreachable
s_map' command.t
icmp-object t
%ASA-
logging buffered warningsecuted the 'subscribe-to-
logging asdm notificationsxecuted t
%ASA-5-111008: U
mtu inside 1500cuted the 'poli
mtu outside 1500ct
riodic month
icmp unreachable rate-limit 1 burst-size 1-111008: User 'Config' executed the 'subsc
asdm image disk0:/asdm-625.bino5-111008: User 'Config' execu
no asdm history enablemmand.outside' command
arp timeout 14400monthly' command.
nat-control
%ASA-5-111
global (outside) 1 interfacenfig' executed the 'subscrib
nat (inside) 1 0.0.0.0 0.0.0.0andasa# threat-detec
d.n
%ASA
access-group INBOUND in interface outside08: Us
riodic daily' command.e
timeout xlate 3:
aaa authentication ssh console LOCALe Ethernet0/5, changed state to admi
http server enableas
%ASA-5-111008:
http 192.168.1.0 255.255.255.0 inside' executed the
%ASA-4-411003: Interfa
no snmp-server locationstate to administra con
no snmp-server contact
telnet timeout 5# nat-contr
%ASA
ssh 0.0.0.0 0.0.0.0 insideec
%ASA-4-411001: Line pro
ssh 0.0.0.0 0.0.0.0 outside/3, changed state to upomma
ssh timeout 5SA-5-111
%ASA
console timeout 0onfig' executed t
dhcpd dns 8.8.8.8 8.8.4.4ne protocol on Interface
dhcpd auto_config outside to ups_map' com
%ASA-5-1
!0
dhcpd address 192.168.1.2-192.168.1.33 insideommand
enableR: % I
Password:SA-5-1110
Wood-A
dhcpd dns 8.8.8.8 8.8.4.4 interface inside: Uname: enable_15 From: 1 To:pect netbios
dhcpd enable insidescoas
%ASA-5-111008
!U
threat-detection basic-threat%ASA-5-111008: User 'enable_1
threat-detection statistics acce
.0.0.0 0.0.0.
parametersprompt host
message-length maximum client auto1008: User 'enable_15' executed the
message-length maximum 512A-5-111008: User 'Config' ex
policy-map type inspect dns prsent_dns_map 0/0' command. executed the 'inspe
no shut
parametersA-5
Wood-AS
message-length maximum 512 Interface Ethernet0/0, chan
policy-map global_policyg' executed the 'inspect
class inspection_defaultA-5-111008: User 'Con
ini
inspect dns preset_dns_map
%ASA-5-111008: User 'enable
inspect ftpthe 'no shutd
inspect h323 h225111008: User 'Confi
inspect h323 rasstination address
inspect rsh1001: Line pr
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c3a35118ab34143a5e73e414ead343c1

for sure you can do this with the ASA , see the following configuration example :
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml
cheers.

Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register

Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices. I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.
We are running ip services:
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)
-----------------Layer2: ----------------------------------------------
(config)#interface GigabitEthernet1/0/24
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR'
Unsupported match field "interface input" for ipv4 traffic in output direction
Unsupported collect field "interface output" for ipv4 traffic in output direction
---------------- Layer3 ---------------------------------------------
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
------------------------------------ untruncated output ------------------------------
switch(config-flow-record)#collect counter bytes
% Incomplete command.
switch(config-flow-record)#collect counter packets
% Incomplete command.
switch(config-flow-record)#collect flow sampler
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect interface output
switch(config-flow-record)#collect ipv4 destination mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 dscp
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 id
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source prefix
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing destination as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing next-hop address ipv4
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing source as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime first
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime last
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect transport tcp flags
switch(config-flow-record)#exit
switch(config)#flow monitor LIVEACTION-FLOWMONITOR
switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION.
switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
switch(config-flow-monitor)#cache timeout inactive 10
switch(config-flow-monitor)#cache timeout active 60
switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
switch(config-flow-monitor)#exit
switch(config)#interface Vlan197
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#exit
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
-------------------- config it's trying to apply----------------------------
config t
ip cef
snmp-server ifindex persist
flow exporter LIVEACTION-FLOWEXPORTER
description DO NOT MODIFY. USED BY LIVEACTION.
destination <removed private IP address to liveaction server>
source Loopback0
transport udp 2055
template data timeout 600
option interface-table
exit
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
exit
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
exit
interface Vlan197
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface Vlan190
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/13
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/18
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/4
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/3
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/6
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/5
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/23
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/24
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output

Welcome to the Arch forums. That was an amazing first post. It is refreshing to see a new forum member actually post with as much detail as possible in order to explain the situation. Too often we get people saying things like "I can't get to the internet... why?" as the extent of their post. So thanks.
So I am curious about what the dhcpcd is trying to do. It seems to be trying to soliciting for a ipv6 address, but mentions nothing about in ipv4 address. It is not unfortunately not entirely uncommon for dhcpcd to time out waiting for an ipv6 address that never comes. So are you using ipv6? Do you expect an ipv6 address? I noticed that when you tried to ping the google DNS server, you used their ipv4 address (8.8.8.8). So I am thinking that means you are actually using ipv4.
I wonder if you might be able to poll for just an ipv4 address with dhcpcd. Just run it with -4 and it should disable the ipv6 stuff. You might also want to try dhclient and see what kind of output it gives you. If you are definitely not using ipv6, and it is not offered in your area, you might want to disable it. There are instructions in the wiki on how to do this... but you might want to wait until you establish the issue before doing things like that.

When ip cef is enable timeouts occur

First i want to enable netflow on our routers, and in order to do that i need to enable IP CEF. but when i enable cef all of the point to point vpn sites connected to the router, they stay connected but the terminals that connect to our citrix farm will not connect they from what i can tell timeout on the connection. disabling cef they can connect. enabling cef they can't connect,
This is really odd behavoir since we can still remote access the site but the terminals just can't connect when ip cef is enabled.
I attached the config of the router, i removed the tunnels and other various things that is not relivant(i believe)

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not 100% certain, but I believe FastSwitching and CEF switching apply to unicast, not multicast. Your "IP mroute-cache" command enables/disables fast multicast switching.
On a 3750, switching should be hardware based, for unicast and multicast, unless TCAM resources are insufficient. If hardware switching falls back to non-hardware switching, you'll likely find process vs. Fast vs. CEF vs. multicast doesn't matter, all too slow.

Cisco ASA and Internal Hosted Website

I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working. The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works. Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80. Any ideas? I have tried several suggestions i found on the web, but none have worked.
Thanks
Nick

Hi,
The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
You might for example have this configuration
object network WEB-SERVER
host 10.0.0.3
nat (inside,outside) static interface service 80 80
This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
So you could try this configuration on the ASA
object network PUBLIC-IP
host
object network WEB-SERVER
host 10.0.0.3
object network LAN
subnet
nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
You would also perhaps needs to add this command
same-security-traffic permit intra-interface
This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
You can check the current configuration with the command
show run same-security-traffic
Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
Hope this helps
Let me know how it goes
- Jouni

6506 NetFlow

Hi,
I'm trying to capture an ingress traffic on SVI interface of my Cisco 6506 (WS-C6506-E).
I've enabled NetFlow on the Multilayer Switch Feature Card (MSFC):
ip flow-export source Vlan254ip flow-export version 5ip flow-export destination 172.23.100.21 2055
Enabled NetFlow and NetFlow Data Export (NDE) on the Policy Feature Card (PFC):
ip flow ingress layer2-switched vlan 130mls netflow interfacemls flow ip interface-destinationmls nde sender version 5mls aging fast threshold 127mls aging long 1000mls sampling time-based 512mls cef error action resetmls netflow sampling
and on the monitorable interface:
interface Vlan130 ip address 172.23.170.2 255.255.255.0 ip flow ingress mls netflow sampling standby 1 ip + timers + priority + preempt + authentication
Now I'm trying to see capruted flows. The point is I can't see flow's source address, source and destination port, and L4 protocol for unicast flows:
Cat6506-LAN1#sh mls netflow ipDisplaying Netflow entries in Active Supervisor EARL in module 5DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr-----------------------------------------------------------------------------Pkts Bytes Age LastSeen Attributes---------------------------------------------------172.23.131.5 0.0.0.0 0 :0 :0 Vl130 :0x0202 52554 2 17:04:35 L2 - Dynamic0.0.0.0 0.0.0.0 0 :0 :0 -- :0x013312 6807977 2 17:04:35 L3 - Dynamic172.23.170.64 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:34 L2 - Dynamic172.23.170.123 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:35 L2 - Dynamic224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x02 156 1 17:04:35 Multicast
224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x08 624 6 17:28:03 Multicast172.23.170.181 0.0.0.0 0 :0 :0 Vl130 :0x00 0 5 17:28:03 L2 - Dynamic
The same output info I get on my NetFlow collector.
Anybody know a reason what can prevent of collecting flows correctly?
Thanks.

might want to change the flow mask to full instead of destination. I think that should give you the rest of the info. chris

Netflow on cisco me 6523

hello
im trying to get netflow working on a me 6523 to a destination address using udp port 4739 but im not getting anything through wire shark while connected
to a span port on the router or the connecting switch.
Im using the management interface which is using port-channel1

Hi Sean,
Can you try configuring your Cisco switch as below and check.
mls netflow // This enables NetFlow on the Supervisor.
mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
mls flow ip interface-full
mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan
Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
ip flow egress // This command has to be executed on all the L3/VLAN interfaces.
ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the flow server
ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
ip flow-export version 9
ip flow-cache timeout active 1
snmp-server ifindex persist
Regards,
Don Thomas Jacob
ManageEngine NetFlow Analyzer

NetFlow on MPLS PE

Hi,
I have a customer requiring NetFlow data sent to them from the PE router. Is there a way to enable NetFlow only for a specific VRF?

Hi Carlos,
Thanks a lot for the response. It is quite helpful. This doc describes a case in which NetFlow is sent to provider collector.
I want the NetFlow source interface and destination collector address are in the same VPN so that it can be sent to the customer collector. Otherwise, because of IP address space overlapping, it's quite complex to 'NAT' addresses to get to the customer destination via the backbone netowrk.
Thanks again.

MPLS Netflow Egress 12.2(25)S

Hi,
Anybody knows how to configure mpls netflow egress for a cisco router running 12.2(25)S service provider image ?
The following link says there is a restriction for it:
http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00805e1253.html#wp1043334
The MPLS Egress NetFlow Accounting feature is not supported in Cisco IOS Release 12.2(25)S and later. Use the Egress NetFlow Accounting feature, which captures either IP or MPLS packets as they leave the router.
I haven't found out how to exactly configure this feature because the ip flow egress work is not working.
Anybody care to shed some light ?
Thanks in advance,
Luis Rueda

Netflow was in ingress technology, in which the flows that were captured were flows that entered the interface. Flows leaving the interface were not captured. Also, it was an IP technology, hence non IP traffic were not captured.
With the introduction of MPLS VPN, traffic from remote PEs were recieved on the egress PE as labelled traffic. Hence, they were not captured by Netflow (Without MPLS, enabling netflow on the WAN interface of the egress PE would have allowed the traffic be captured).
MPLS Egress Netflow Accounting patched the situation above by allowing Netflow to capture the flow, when the mpls packet was untagged. This feature was introduced in 12.0(20)S. see
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_white_paper09186a00800b3d18.shtml
It is configured with the command mpls netflow egress
To make things better, they bettered the netflow technology and allowed it to captured egress traffic. With it capturing outgoing traffic, the mpls egress netflow feature was not needed again. Or to put it in another way, Egress Netflow Accounting, replaced MPLS Egress Netflow. See
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d41ea.html
This is configured with the command
ip flow egress
For using these features, check your IOS properly and see which one it supports. I have succesfully used the MPLS Netflow Egress.

Enable NetFlow ASA 8.0(5)

Similar Messages

Maybe you are looking for