OK I see thanks David. Let me set this up and give it a try, I will let you know how it works out.
Thanks to everyone for all the help. -----Original Message----- From: David Mitchell [mailto:[email protected]] Sent: Monday, March 08, 2010 1:36 PM To: Travis Formoso Cc: Drew Weaver; [email protected] Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis Formoso wrote: > OK I am starting to understand this. The problem is that I did use the > export command for each VLAN so that caused them to come in as > different sources. > > So for each interface (VLANS in this case) I would need to do: > > ip route-cache flow > > And then use the export command once to reach where I am collecting > data. The question I have is when I use this command: > > "ip flow-export source" what is the interface I will use at the end of > that command? Or do I just need to do: It doesn't actually matter much what you use as the source address. It's only significance is really that that's how your receiver is going to organize the data. You don't want to have to change the source address in the future, so pick an interface you don't expect will ever move or go away. That's why most of us use our loopbacks, because they don't tend to change as subnets come and go. But really, in your case, just pick something and don't sweat it too much. -David Mitchell > > ip flow-export destination? > > Thanks > > -----Original Message----- > From: David Mitchell [mailto:[email protected]] > Sent: Monday, March 08, 2010 1:24 PM > To: Travis Formoso > Cc: Drew Weaver; [email protected] > Subject: Re: [Flow-tools] Setting up NetFlow on 6509 > > Travis Formoso wrote: >> Drew, >> >> Right (I have to use ip route-cache because the ip flow ingress >> command does not work, might be our version,) however I still would >> need to the export command to let it know where to send the data to. > > The 'ip flow-export' commands are all global and only need to be > specified once no matter how many interfaces you are monitoring. > Netflow export has two main pieces of configuration. The per-interface > configuration which gets data into the flow cache is one piece. It is > repeated multiple times. The other piece is the configuration for > where to send the data from the flow cache. Normally, it is only > specified once. It is possible to have multiple netflow analysis > servers which each get copies of the data, but it doesn't sound like > that's your situation. > > -David Mitchell > >> Once I do the export on the two different vlans (will be more) it >> comes in the netflow program I am using as 2 different sources. >> >> -----Original Message----- >> From: Drew Weaver [mailto:[email protected]] >> Sent: Monday, March 08, 2010 1:03 PM >> To: Travis Formoso >> Cc: [email protected] >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> You just add the ip route-cache flow or ip flow ingress on each >> interface you want monitored. >> >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Travis >> Formoso >> Sent: Monday, March 08, 2010 1:00 PM >> To: David Mitchell >> Cc: [email protected] >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> David, >> >> If I wanted to add a second VLAN I would do: >> >> Ip flow-export source vlan11 etc.. >> >> Once I do that it adds it as a second 'source.' I want to be able to >> monitor the 6509 with all VLANS and have it read as once source, >> because I am only licensed for 5 sources, however a source is >> considered a router/switch, but when I set this up with the VLAN's as >> above, they come in as separate sources. >> >> Is there another way to do it that I am missing? >> >> Thank you >> >> -----Original Message----- >> From: David Mitchell [mailto:[email protected]] >> Sent: Monday, March 08, 2010 12:55 PM >> To: Travis Formoso >> Cc: [email protected] >> Subject: Re: [Flow-tools] Setting up NetFlow on 6509 >> >> Travis, >> >> when you add the second VLAN to monitor, do you add an additional >> source command? >> >>> ip flow-export source vlan10 >> You only need this command once. You also don't need it to be a >> loopback. If you have a loopback, then it's a good choice to use. But >> you don't need to create one just for this. All this command does is >> tell IOS what source address to use in outgoing netflow data packets. >> You could probably get away with not specify it at all, but then >> there > >> is a chance that unrelated configuration changes would affect your >> netflow exports. >> >> -David Mitchell >> >> >> >> Travis Formoso wrote: >>> Greg, >>> >>> We are not running IOS-XR, however this is almost the same and I can >>> set this up. >>> >>> With the loopback0 interface setup what are the commands I need to >>> run, so that I am monitoring this device correctly with netflow? >>> Would >> it be: >>> >>> ip flow-export source loopback0 >>> ip flow-export version 5 >>> ip flow-export destination 172.20.200.50 >>> >>> Now I configure netflow for switched traffic: >>> mls nde sender version 5 >>> mls flow ip interface-full >>> mls nde interface >>> >>> On the interface (loopback0): (Not sure if this is needed for the >>> loopback interface?) ip route-cache flow >>> >>> Thanks for the help. >>> >>> ________________________________ >>> >>> From: Volk,Gregory B [mailto:[email protected]] >>> Sent: Monday, March 08, 2010 11:50 AM >>> To: Travis Formoso; [email protected] >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>>> What should the loopback interface look like? >>>> >>> >>> Here's what one of mine looks like, but it requires some config >>> integration with OSPF, assuming you're running OSPF. >>> >>> >>> router#sho run int lo0 >>> Building configuration... >>> >>> Current configuration : 128 bytes >>> ! >>> interface Loopback0 >>> description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 >>> 255.255.255.255 ip pim sparse-mode end >>> >>> router# >>> >>> >>> This doc from cisco... >>> http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/conf >>> i g ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: Travis Formoso [mailto:[email protected]] >>> Sent: Monday, March 08, 2010 10:30 AM >>> To: Volk,Gregory B; [email protected] >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Hey Greg, >>> >>> On the 6509 there is currently no loopback interface so I will >> need >>> to set this up. >>> >>> What should the loopback interface look like? >>> >>> Also once I set it to this loopback I will not need to export to >> the >>> VLAN's as this would monitor all the ports? >>> >>> Thanks >>> >>> ________________________________ >>> >>> From: Volk,Gregory B [mailto:[email protected]] >>> Sent: Monday, March 08, 2010 11:19 AM >>> To: Travis Formoso; [email protected] >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Have you tried setting the source to a non-vlan (physical or >>> loopback) interface like: >>> >>> ip flow-export source Loopback0 >>> >>> I don't know if that will fix your issue, but I always source my >>> netflow data from a loopback interface that is dedicated for >>> management traffic. >>> >>> >>> >>> >>> >>> If you are not the intended recipient of this message >> (including >>> attachments), or if you have received this message in error, >>> immediately notify us and delete it and any attachments. If you no >>> longer wish to receive e-mail from Edward Jones, please send this >>> request to [email protected]. You must include the e-mail >>> address that you wish not to receive e-mail communications. For >>> important additional information related to this e-mail, visit >>> www.edwardjones.com/US_email_disclosure >>> <http://www.edwardjones.com/US_email_disclosure> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Travis >>> Formoso >>> Sent: Monday, March 08, 2010 9:47 AM >>> To: [email protected] >>> Subject: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Hello all, >>> >>> I am trying to setup a NetFlow product on our 6509. We >> have a number >>> of different VLAN's across our network and I think I would want to >>> monitor those VLAN's and that should capture the traffic on the >>> 6509 (correct me if I am wrong.) The way the product is licensed is >>> by source (a source is a router or switch.) When I try to setup >>> netflow each VLAN comes in as a different source and I would like it >>> if I can > >>> use the 6509 as just once source. Here are the commands I am using >>> to > >>> set this up. >>> >>> in configuration mode: >>> >>> ip flow-export source vlan10 >>> ip flow-export version 5 >>> ip flow-export destination 172.20.200.50 >>> >>> Now I configure netflow for switched traffic: >>> mls nde sender version 5 >>> mls flow ip interface-full >>> mls nde interface >>> >>> On the interface (vlan 10): >>> ip route-cache flow >>> >>> After doing that I see that incoming traffic is being >> monitored by >>> NetFlow, however as said that interface (VLAN) is coming in as a >>> source, so if I configure another VLAN I now have 2 sources, but I >>> would like to set this up so the 6509 is just one source, monitoring >>> all the VLAN's. >>> >>> I wanted to know if these commands are correct, if I >> should be >>> monitoring the VLAN's and if anyone knows how to set this up as >>> explained above with the 6509 as one source. >>> >>> Thank you, >>> >>> Travis >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -- >>> >>> _______________________________________________ >>> Flow-tools mailing list >>> [email protected] >>> http://mailman.splintered.net/mailman/listinfo/flow-tools >> >> -- >> ----------------------------------------------------------------- >> | David Mitchell ([email protected]) Network Engineer IV | >> | Tel: (303) 497-1845 National Center for | >> | FAX: (303) 497-1818 Atmospheric Research | >> ----------------------------------------------------------------- >> _______________________________________________ >> Flow-tools mailing list >> [email protected] >> http://mailman.splintered.net/mailman/listinfo/flow-tools >> _______________________________________________ >> Flow-tools mailing list >> [email protected] >> http://mailman.splintered.net/mailman/listinfo/flow-tools > > > -- > ----------------------------------------------------------------- > | David Mitchell ([email protected]) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- -- ----------------------------------------------------------------- | David Mitchell ([email protected]) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
