1. I've noticed bugs on some 6500 routers that lead to "corrupt" netflow with extra 0-bits. I ended up giving up on netflow from some 6500s a few years ago, but I don't have the configuration details. Check your raw netflow with flow-print or flow-export, see whether the netflows with the 0 ASes also have lots of other fields as 0.
2. Does anybody else have experience generating flow from a vlan interface as opposed to a physical interface? Does it work? 3. For a flow with dest-as of 0, what happens when you traceroute the IP? If you have boxes that are scanning and run into unallocated IP blocks, their traffic would be null-routed and thus 0 would be the correct destination AS. Good luck! Mike On Mar 08 at 13:20, "Nicolas Meaux" wrote: > When i want to create report of trafic which is going out of my network, > i see many flows with destination AS equal to 0 > I have read many faq, but i think my configuration is correct. > > Cisco configuration : > > mls aging fast threshold 1 > mls aging long 300 > mls flow ip full > mls nde sender > > interface Vlan20 > description output vlan > ip route-cache flow > > interface Vlan10 > description private vlan > > ip flow-export source Vlan10 > ip flow-export version 5 origin-as > ip flow-export destination 10.5.11.10 2055 > > #show version > Cisco Internetwork Operating System Software > IOS (tm) c6sup2_rp Software (c6sup2_rp-PS-M), Version 12.1(26)E4, > RELEASE SOFTWARE (fc1) > > > Netflow capture command line : > /usr/bin/flow-capture -w /home/admin/var/netflow/ 0/0/2055 -S5 > > > $ flow-cat ft-v05.* | flow-stat -f20 | sort -k 2 -n > # > # > # > # > # > # --- ---- ---- Report Information --- --- --- > # Args: flow-stat -f20 > # Fields: Total > # Name: Destination AS > # Sorting: None > # Symbols: Disabled > # dst AS flows octets packets > [.....] > 541 2293 883177236 835990 > 635 2976 1226657011 1115515 > 8974 3297 212680 3314 > 25214 3311 648484980 621938 > 2436 6559 4052335040 3619528 > 235 15487 6400281466 5474969 > 0 113835 7932742637 24844221 > > I have noticed that with this configuration : > mls netflow > mls aging normal 60 > mls aging long 64 > mls flow ip interface-full > mls nde sender version 5 > mls nde interface > > Netflow will be exported with full information, but some keywords doesnt > work on my 6009 : > > Router(config)#mls netflow > Router(config)#mls aging normal 60 > Router(config)#mls aging long 64 > Router(config)#mls flow ip interface-full > ^ > % Invalid input detected at '^' marker. > > Router(config)#mls nde sender version 5 > ^ > % Invalid input detected at '^' marker. > > Router(config)#mls nde interface > ^ > % Invalid input detected at '^' marker. > > > I have replaced : > mls flow ip interface-full > mls nde sender version 5 > mls nde interface > > By : > mls flow ip full > mls nde sender > > Did anyone have an idea ? > > Any help will be greatly appreciated. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
