NetFlow

I have 6509 with a fiber attached 3750 attached that I want to monitor the bandwidth usage. I have read through the NetFlow and found it will do this and is supported by the 6509 but not the 3750. Does NetFlow need to be supported by the devices on both ends of the network link you are testing?

Thanks for responding to my question.
On my 6509 I have IP routing enabled but when I go to the fiber interface that the 3750 is attached to there is no "ip route-cache flow" command.
When I am on that interface and I do a "ip ?" it show the commands RSVP, RTP and VRF as the only options available.
Is there something else I need to do to get "route-cache flow" to work?
My 6509 is at Version 12.1(22)E2.
Thanks
Ken

Similar Messages

ASR netflow with third party tool

Hi ,
we have one issues where netflow data is not getting into the solar winds tool.in wireshark captures it shows netflow traffic is reaching upto the server.
found one forums and they highlighted one bug as below but its not affecting the release we are having.unable to find the exact bug ID in cisco .let me know if you can get any inputs and highlight the same.
below is the links and current details
https://thwack.solarwinds.com/thread/32146
current ASR version & related netflow config is attached.diesnt find any issue with the configuration .trying with another vendor tool as well and will check .
asr1002x-universal.03.10.01.S.153-3.S1-ext.SPA.bin
show ip flow export cache flow
IP packet size distribution (1317M total packets):
   1-32   64   96 128 160 192 224 256 288 320 352 384 416 448 480
   .000 .040 .023 .006 .004 .004 .030 .004 .002 .005 .004 .006 .002 .001 .000
    512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .047 .029 .781 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 0 bytes
0 active, 0 inactive, 24710853 added
417778 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow /Pkt     /Sec     /Flow     /Flow
TCP-Telnet           5      0.0        61    42      0.0      31.1      31.2
TCP-FTP             52      0.0        20    85      0.0      14.3      30.9
TCP-FTPD             8      0.0        71    51      0.0       3.6      31.1
TCP-WWW         369465      0.0        15   694      1.3       7.2      30.9
TCP-SMTP           417      0.0        84    98      0.0       5.8      30.9
TCP-X                3      0.0         7   277      0.0       1.6      31.1
TCP-BGP          10911      0.0         1    69      0.0       3.0      30.9
TCP-other     19793896      4.6        28 1134    131.5       2.6      30.9
UDP-DNS         320124      0.0         1    79      0.0       0.0      30.9
UDP-NTP          65307      0.0         1    87      0.0       0.1      30.9
UDP-TFTP           854      0.0         1    51      0.0       0.0      30.9
UDP-Frag          1721      0.0         7    58      0.0       2.1      30.9
UDP-other      3850147      0.8       192 1244    172.6       3.7      30.9
ICMP            296732      0.0         3    62      0.2       4.2      30.9
Total:        24709642      5.7        53 1193    305.8       2.8      30.9
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Pkts

HI Mike,
If you have third party Document Management System, then you can post two different message, i.e. service order in transaction details of the third party tool with link to document which would be posted to third party Document management server.
If you don't have third party document management system and what to use sap infrastructure, then you don't need to maintain attachment, maintain the link between the third party tool and SAP document repository, with some login utilities.
Best Regards,
Pratik Patel.
Reward with points if it is of any help to you!

Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register

Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices. I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.
We are running ip services:
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)
-----------------Layer2: ----------------------------------------------
(config)#interface GigabitEthernet1/0/24
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR'
Unsupported match field "interface input" for ipv4 traffic in output direction
Unsupported collect field "interface output" for ipv4 traffic in output direction
---------------- Layer3 ---------------------------------------------
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
------------------------------------ untruncated output ------------------------------
switch(config-flow-record)#collect counter bytes
% Incomplete command.
switch(config-flow-record)#collect counter packets
% Incomplete command.
switch(config-flow-record)#collect flow sampler
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect interface output
switch(config-flow-record)#collect ipv4 destination mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 dscp
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 id
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source prefix
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing destination as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing next-hop address ipv4
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing source as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime first
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime last
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect transport tcp flags
switch(config-flow-record)#exit
switch(config)#flow monitor LIVEACTION-FLOWMONITOR
switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION.
switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
switch(config-flow-monitor)#cache timeout inactive 10
switch(config-flow-monitor)#cache timeout active 60
switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
switch(config-flow-monitor)#exit
switch(config)#interface Vlan197
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#exit
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
-------------------- config it's trying to apply----------------------------
config t
ip cef
snmp-server ifindex persist
flow exporter LIVEACTION-FLOWEXPORTER
description DO NOT MODIFY. USED BY LIVEACTION.
destination <removed private IP address to liveaction server>
source Loopback0
transport udp 2055
template data timeout 600
option interface-table
exit
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
exit
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
exit
interface Vlan197
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface Vlan190
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/13
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/18
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/4
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/3
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/6
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/5
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/23
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/24
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output

Welcome to the Arch forums. That was an amazing first post. It is refreshing to see a new forum member actually post with as much detail as possible in order to explain the situation. Too often we get people saying things like "I can't get to the internet... why?" as the extent of their post. So thanks.
So I am curious about what the dhcpcd is trying to do. It seems to be trying to soliciting for a ipv6 address, but mentions nothing about in ipv4 address. It is not unfortunately not entirely uncommon for dhcpcd to time out waiting for an ipv6 address that never comes. So are you using ipv6? Do you expect an ipv6 address? I noticed that when you tried to ping the google DNS server, you used their ipv4 address (8.8.8.8). So I am thinking that means you are actually using ipv4.
I wonder if you might be able to poll for just an ipv4 address with dhcpcd. Just run it with -4 and it should disable the ipv6 stuff. You might also want to try dhclient and see what kind of output it gives you. If you are definitely not using ipv6, and it is not offered in your area, you might want to disable it. There are instructions in the wiki on how to do this... but you might want to wait until you establish the issue before doing things like that.

Netflow is not showing on prime infra 1.2 and also reports are not generating

Hi friends,
I add my router to cisco prime for netflow and configured it by temelate as mentioned by cisco in deployment guide. I got netfloe till last friday but today i am getting anyflow on prime.
second I am not able to generate raw netflow.
how can i removed any device from data sources ifthis is nolonger present there. for better understanding i am also ataching the snapshot.

Hi,
Thanks
Yes I have configured the command âaaa accounting exec default start-stop group tacacs+â
As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
Regards,
Vineet

Is it possible to run both Netflow v5 and v9 at the same time

Hi All,
Just wondering if it is possible to run netflow version 9 and version 5 at the same time (to different destinations) on the same router please?
Thanks very much
Regards
Amanda

No Amanda,
we cannot simultaneously configure both versions of NETFLOW on cisco ios. After configuring firstone when you try to configure other version it will override the previously configured version.
"Please do rate helpful posts"

Netflow top talkers query

Hi Folks,
I was trying to use the top talkers feature to find the culprits hogging my bandwidth. I am pertty new top talker feature and its implemented on a 6500 with sup720. I have a couple of queries w.r.t this.
* tried to configure the cort by bytes feature got a warning that its not supported on the hardware based model.So is there any way to use sort by bytes on the sup 720?
* The O/P fileds of a show ip flow top-talkers are usually,
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts( had to use sort by packets due to warning)
Now is this pkts field the number of packets calculated between the cache-timeout value or is it the total seen so far? Will it be the same for sort by bytes too? Total bytes seen for this flow rather than a realtime bytes/sec or bytes/cache time-out value.
If this is the case then its actually not a real time top talker value right? Please help
Thanks,
Prakadeesh

The --command -- sh ip cache flow shows the cache-timeout value only not the collective bytes of data ; if you need the Total bytes seen for this flow you need to use the Crannog netflow Tracker kind of tools or you need to use " ip accounting " and clear the counter manually as and when required !!!
And it its actually a real time top talker value for that specifed cache-timeout value and i found most of the time it shows the correct top-talker many times !!!!!!!!!!!!!!!!!!!

ASA 8.2(5) enable Netflow

Hi,
Running ASA 8.2.(5) with ASDM 6.4(5).
When I try to enable netflow on my <default inspection traffic> policy which is global I get a message saying "only inspect rule actions can be specified for the default inspection traffic". As Netflow can only be applied as a global service policy, I have to use netflow on a global policy, but how do I use my traffic inspection policy then?
Create multiple service policies I apply to each interface or?
According to https://supportforums.cisco.com/docs/DOC-6114 it looks as I can have both at the same time or in the same Global policy ?
Regards
Robert

hmm I seem I can´t create a new class-map with ASDM? I have no option to do that.
Looking at:
https://supportforums.cisco.com/docs/DOC-6113
It says:
Most users will have a global inspection policy so we can just leverage that. It should be noted that we can't use class-default here because we won't generate NetFlow data for anything that is subject to inspection.
Is that not what my original message basicly is saying from ASDM?
Robert

Does introducing WCCP redirect for WAAS disrupt Netflow information?

Before installing WAAS and WCCP redirect on some 6500 interfaces in our data center, those interfaces showed Netflow flows for users at a remote location accessing servers at our data center. Now with WCCP redirecting that traffic to the WAEs, I notice the only netflow flows for that remote location are UDP flows and some ICMP stuff.
Is this an unintended consequence of installing WAAS - that netflow statistics are going to be skewed by not showing flows that are now accelerated?

I believe your problem may be due to the fact that you are redirecting http
based traffic per the ACL configuration. The sup720 uses wccp v2 as a default
version,however, the Sup720 does NOT support the hardware-based redirection for the TCP port 80 when we enable wccpv2.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.
htm#wp1017009
Support for Non-HTTP Services:
WCCPv2 allows redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic. WCCPv1 supported the redirection of HTTP (TCP port 80)traffic only. WCCPv2 supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.

Mars with Netflow on Interface VRF (on Router)

Mars is collecting Netflow information from Interface VRF on Router, my question is that whether Mars will see the traffic inside of the VRF or not, or it will see only netflow traffic on Global routing (core MPLS devices).
This router is PE, and connected to CE (Customer's device).
interface GigabitEthernet5/2
ip vrf forwarding ktb
ip address 10.0.1.210 255.255.255.252
ip flow ingress
ip flow-export version 5
ip flow-export destination 10.1.50.103 2055

Refer to the document Top Issues for the Cisco Security Monitoring, Analysis, and Response System for more information
http://www.cisco.com/en/US/products/ps6241/prod_troubleshooting_guide09186a008062f36e.html

6506 NetFlow

Hi,
I'm trying to capture an ingress traffic on SVI interface of my Cisco 6506 (WS-C6506-E).
I've enabled NetFlow on the Multilayer Switch Feature Card (MSFC):
ip flow-export source Vlan254ip flow-export version 5ip flow-export destination 172.23.100.21 2055
Enabled NetFlow and NetFlow Data Export (NDE) on the Policy Feature Card (PFC):
ip flow ingress layer2-switched vlan 130mls netflow interfacemls flow ip interface-destinationmls nde sender version 5mls aging fast threshold 127mls aging long 1000mls sampling time-based 512mls cef error action resetmls netflow sampling
and on the monitorable interface:
interface Vlan130 ip address 172.23.170.2 255.255.255.0 ip flow ingress mls netflow sampling standby 1 ip + timers + priority + preempt + authentication
Now I'm trying to see capruted flows. The point is I can't see flow's source address, source and destination port, and L4 protocol for unicast flows:
Cat6506-LAN1#sh mls netflow ipDisplaying Netflow entries in Active Supervisor EARL in module 5DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr-----------------------------------------------------------------------------Pkts Bytes Age LastSeen Attributes---------------------------------------------------172.23.131.5 0.0.0.0 0 :0 :0 Vl130 :0x0202 52554 2 17:04:35 L2 - Dynamic0.0.0.0 0.0.0.0 0 :0 :0 -- :0x013312 6807977 2 17:04:35 L3 - Dynamic172.23.170.64 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:34 L2 - Dynamic172.23.170.123 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:35 L2 - Dynamic224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x02 156 1 17:04:35 Multicast
224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x08 624 6 17:28:03 Multicast172.23.170.181 0.0.0.0 0 :0 :0 Vl130 :0x00 0 5 17:28:03 L2 - Dynamic
The same output info I get on my NetFlow collector.
Anybody know a reason what can prevent of collecting flows correctly?
Thanks.

might want to change the flow mask to full instead of destination. I think that should give you the rest of the info. chris

Netflow Collector 6.0 demo license

Hi,
It is said in the NetFlow Collector Installation and Configuration Guide that a limited-time demo license can be obtained from Cisco.com
How can i get this demo license?
Regards,
Velin

Hi,
I think you can obtain that (and more) demo licenses here:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y.
Good luck!
curtis

Netflow analysis tool

Hi,
what is the best available tool for netflow monitoring and specially for troubleshooting issues using flow analysis? I am looking for something that works well on small network of 200 devices.
Thanks

Easy enough to request a quote from both companies but from what I've seen, PRTG will be less cost. Its Netflow capability is simple but then it also does lots of other things - querying and graphing anything your can get with SNMP.
Scrutinizer is a purpose built tool for flow analysis. It costs a bit more but gives you a lot more functionality if flow analysis is what you need to do. It won't also serve as your general purpose network management tool however. PRTG can do that.
Both tools have trial downloads to try before you buy.

How netflow works with ASA Firepower and Virtual Defense ?

Hi,
In the discovery rules of the Virtual Defense, i can see that's it's possible to configure netflow source. I have a pair of Cisco 4500X as the core switch L3, and would like to send a flow to the IPS.
I configure the switch like that :
flow record IPV4-FLOW-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input
collect interface output
collect counter bytes long
collect counter packets long
flow exporter Firepower
source Vlan12
destination IP_OF_tHE_ASA_IPS_MODULE
flow monitor IPV4-FLOW
exporter Firepower
cache timeout inactive 30
cache timeout active 60
cache entries 1000
record IPV4-FLOW-RECORD
vlan configuration 100-102 ip flow monitor IPV4-FLOW input
It's the correct configuration ? Can't see how to check in Virtual Defense if it's receive netflow packets

SOLUTION!
Install a second NIC bind vmnet0 to eth1 instead of eth0
Details:
Goal was to have the Host OS (Ubuntu 8.04) which is running an Apache web server also serve as an e-mail gateway (SpamTitan) since on a heavy day the web server might hit 5% CPU.
Why but a whole new machine, right?
When it did not work right away I went into troubleshooting mode and tried several different things as mentioned above. Which led me to the idea to create my own VM of SpamTitan and bind it to a different NIC.
Before I went that far I tried reassigning vmnet0 from eth0 to my newly installed eth1 and running it. That seems to have done the trick!
So now the setup is:
eth0 192.168.2.4
eth1 192.168.2.5
vmnet0 192.168.2.6
With vmnet0 bridged to eth1
Why is it working now and not before?
I am unsure. It is not a Linux thing because I tried both Windows XP and OS X 10.5 with the same result. I think it has more to do with primary network and associated services than Host OS.
If anyone has any insight please let me know. Otherwise I am going to chase it down later.
Thanks again for your responses!

Netflow on 6509 in Native Mode from Vlan Interface

I'm trying to get a 6509-E, running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.
2(33)SXI9, RELEASE SOFTWARE (fc2), to send netflow traffic from a vlan interface to a Solarwinds server.
The server is not seeing all the vlan traffic, but does see all the traffic on the layer 2 ports (not netflow).
I've seen that a command, ip flow ingress layer2-switched vlan, needs to be enabled, but the OS I have does not support that command.
Or could it be that MLS is not configured except for a couple commands:
mls netflow interface
mls cef error action reset
netflow setup:
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
    Source(1)       10.31.101.1 (Vlan52)
    Destination(1) 10.30.2.196 (2055)
Version 5 flow records
14927339 flows exported in 615072 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to Card not being able to export
interface:
interface Vlan52
description AN.VDI.stu
ip address 10.31.101.1 255.255.255.0
ip helper-address 10.31.149.200
no ip redirects
ip flow ingress
ip flow egress
ip pim neighbor-filter 98
ip pim sparse-dense-mode
ip cgmp

Enabling MLS was the fix.
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls cef error action reset

What is "Source ID" in Netflow V9 Packet Header

Hi,
My question is regarding the "Source ID" field that appears in Netflow V.9 packet header. Following Cisco link (http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.pdf) gives Source ID definition as -
"The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device."
I am using "Source ID" (combined with template id) to uniquely identify options templates exported by different routers. At our new lab setup where we have more than one routers configured to export Netflow, I observed that all the routers were exporting "Source ID" value as "0"(zero). It failed my assumption that I had formed based on definition from above Cisco doc.
I assumed -
SourceID   Template Id  Unique Key
source1 256   source1-256
source1 257   source1-257
source2 256   source2-256
source3 258   source3-258
But, I observed
SourceID   Template Id  Unique Key
0     256 0-256
0 257 0-257
0 256 0-256
0 258 0-258
Thus, same template id(256) from different routers(source1, source3) eventually form same unique key and breaks my code.
I would like to know if my interpretation that Source ID can be used to uniquely identify templates in this manner is correct or not ?
Is "Source ID" user configurable attribute ? How does it comply to the definition given in above Cisco doc ?
Thanks,
Deepak

Deepak,
Consider these quotations from the same RFC 3954:
Section 2: Terminology:
Observation Point
An Observation Point is a location in the network where IP packets
can be observed; for example, one or a set of interfaces on a network
device like a router. Every Observation Point is associated with an
Observation Domain.
Observation Domain
The set of Observation Points that is the largest aggregatable set of
flow information at the network device with NetFlow services enabled
is termed an Observation Domain. For example, a router line card
composed of several interfaces with each interface being an
Observation Point.
Section 7: Template Management:
A NetFlow Collector that receives Export Packets from several
Observation Domains from the same Exporter MUST be aware that the
uniqueness of the Template ID is not guaranteed across Observation
Domains.
Section 9: The Collector Side:
At any given time the Collector SHOULD maintain the following for all
the current Template Records and Options Template Records: Exporter,
Observation Domain, Template ID, Template Definition, Last Received.
Note that the Observation Domain is identified by the Source ID field
from the Export Packet.
So in other words, the Source ID is an identifier of the Observation Domain (and in fact, the IPFIX RFC calls this header field directly as Observation Domain ID). Template IDs are unique per Exporter and per Observation Domain, and if a single Exporter uses multiple templates in its different Observation Domains, the IDs of these templates could overlap even in a single Exporter. Observation Domain IDs (that is, Source IDs) identify only the internal structure of a single Exporter, and no provisions are done to preserve their uniqueness across multiple Exporters - for this, the source IP shall be used.
With respect to whether there can be multiple NetFlow instances on a single router, I am getting a feeling that with decentralized, distributed platforms, multiple linecards in a single router could run their own NetFlow analysis for data that pass through them, so each one provides a separate NetFlow collection. Thus, each linecard or each feature card doing its own NetFlow analysis should be assigned its own unique Observation Domain ID.
If it is not user configurable then system should automatically form the value based on router engine and line card. But what I have observed, at more than one routers, is that this value is always 0(zero).
I believe this is strongly dependent to the hardware construction of the router. As a remotely-related example, old 2600 series routers had two WIC slots. If you inserted two WIC-2T modules into these slots, you'd expect that they would be numbered Serial0/0, Serial0/1, Serial1/0, Serial1/1. Very surprisingly, however, these routers considered both slots to be internally connected to a single bus, and the interfaces were named Serial0/0, Serial0/1, Serial0/2 and Serial0/3 - as if they all were installed in a single slot '0'. Something similar may happen to the Observation Domains and their IDs. You would believe that each single linecard constituted a separate Observation Domain. However, the reality may be different, and the whole router can act as a single Observation Domain to the outside world. It's just the way it is constructed - and programmed.
It is not clear why Cisco doc says that one should use both "Source ID" and "Source IP Address" to properly distinguish between flows.
I think it's a poor wording in the RFC. I think what they want to say is that if you use the duplet <Source IP, Source ID> to distinguish between flows, then you're fine both for multiple flows from the same Exporter, and for multiple flows from different Exporters.
Moreover, isn't "Source IP Address" good enough to distinguish between flows from different sources ?
If an Exporter could truly be partitioned into multiple Observation Domains then the source IP would not be sufficient. I am just making up examples with no real-life backup here, but think of, say, a multi-chassis router with each chassis being one Observation Domain, or each linecard of a distributed switch being a standalone Observation Domain, or one router virtualized to several different contexts and virtual routers, each of them being a unique Observation Domain, reporting about the flows using the same source IP... I think you get the point.
I would put it this way... The existence of Source ID in NetFlow v9 (and Observation Domain ID in IPFIX) allows these protocols to nicely cope with situations in which a single physical device can be partitioned into several Observation Domains and perform independent reporting on them using a single source IP. However, the fact that these protocols have this ability does not mean that each and every device, even a Cisco router/switch, must necessarily make use of it.
Best regards,
Peter

Error when removed netflow configuration

I want to remove netflow config, but when I "no ip flow monitor XXXX output" from PORT-PROFILE (type vethernet),
there is a vethernet interface combined this command "ip flow monitor XXXX output" unexpectedly.
And I got an error message when I "no ip flow monitor XXXX output" from this vethernet interface.
Nexus-BIZ(config-if)# no ip flow monitor NAM-BIZ output
2013 Apr 12 08:47:42 Nexus-BIZ %NFM-2-VERIFY_FAIL: Verify failed - Client 0xff010266, Reason: unknown error, Interface: Vethernet48
Verify failed - Client 0xff010266, Reason: unknown error, Interface: Vethernet48
Error: could not allocate resources for command
Do anyone know how to remove this configuration?

Check that listener for your standby database has proper handler for PIJ10G2_DGMGRL service name. Use static registration for this.
Then, Protection Mode: MaxAvailability implies SYNC log transport mode. Check this option too in your log_archive_dest_NN settings.
Best Regards,
Alex

NetFlow

Similar Messages

Maybe you are looking for