Hello,
We have a Cisco 3650 with IOS-XE v03.03.05SE configured as border
router, and running IP Services.
All physical links are trunk and VLANs (on subinterfaces) are used for
actual terminations.
Netflow (v9) is configured as follows (using Flexible Net Flow - FNF):
flow record CiscoXE1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter ipv4exporter
destination 195.251.204.<removed>
source Loopback0
!
flow monitor ipv4monitor
exporter ipv4exporter
cache timeout active 15000
record CiscoXE1
!
vlan configuration 4,8,25,102,133,135
ip flow monitor ipv4monitor input
!
With this configuration I do get netflow data (with nfdump 1.6.13 /
nfsen 1.3.6p1 on CentOS 5), but graphs remain empty.
Here is some sample raw data received (last octet of ip addresses has
been replaced with xxx):
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 4
size = 64
first = 1461155049 [2016-04-20 15:24:09]
last = 1461155049 [2016-04-20 15:24:09]
msec_first = 154
msec_last = 154
src addr = 195.251.204.xxx
dst addr = 194.177.210.xxx
src port = 46462
dst port = 53
fwd status = 0
tcp flags = 0x00 ......
proto = 17 UDP
(src)tos = 0
(in)packets = 1
(in)bytes = 61
input = 27
output = 0
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 4
size = 64
first = 1461155039 [2016-04-20 15:23:59]
last = 1461155063 [2016-04-20 15:24:23]
msec_first = 154
msec_last = 154
src addr = 195.251.203.xxx
dst addr = 183.3.202.xxx
src port = 22
dst port = 60979
fwd status = 0
tcp flags = 0x1b .AP.SF
proto = 6 TCP
(src)tos = 0
(in)packets = 22
(in)bytes = 3413
input = 3
output = 0
My profiles seem to have been setup correctly, using the right ifindex
numbers, as determined by (on the Cisco 3650):
#show snmp mib ifmib ifindex | i Vlan
Vlan4: Ifindex = 38
Vlan610: Ifindex = 50
Vlan135: Ifindex = 46
Vlan100: Ifindex = 42
Vlan102: Ifindex = 43
Vlan133: Ifindex = 45
Vlan8: Ifindex = 41
Vlan575: Ifindex = 47
Vlan7: Ifindex = 40
Vlan10: Ifindex = 51
Vlan300: Ifindex = 54
Vlan5: Ifindex = 39
Vlan600: Ifindex = 49
Vlan3: Ifindex = 37
Vlan1: Ifindex = 34
Vlan50: Ifindex = 52
Vlan132: Ifindex = 44
Vlan25: Ifindex = 55
Vlan576: Ifindex = 48
For example, the main traffic (from/to the ISP) moves through VLAN 102:
Ifindex 43. However, I am not getting any traffic for IF 43 in nfsen or
by running nfdump.
On the other hand, traffic data is available for the physical interface
(Gi1/1/1 - ifindex 27), but this will not be really useful. We need to
display traffic per VLAN.
If I understand right, input/output fields in flow records should
contain the ifindex of the interface. It seems that the physical
interface is recorded rather than the vlan ifindex.
Is there something wrong with the above configuration?
Note: If I try to configure netflow in the "conventional" way, it's not
possible:
(config)# interface vlan 102
(config-if)#ip flow monitor ipv4monitor input
% Flow Monitor: Flow Monitor 'ipv4monitor' flexible netflow not
supported on vlan interfaces
It seems to be only possible to configure netflow in "vlan
configuration" mode, as I have done.
Any ideas or suggestions please?
Thanks in advance,
Nick
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
