How do I configure NetFlow on my Cisco 6509 Catalyst?

Posted in General, Network Traffic Analysis, Scrutinizer on January 30th, 2009 by Patrick
Buffer

For some reason, this week I’ve been bombarded with questions regarding configuring the 6509 Catalyst for NetFlow.

Being a switch/router hybrid model, the configurations are a little different from standard CISCO routers models, like the 2811, but not too much.

I would also recommend checking out this great resource directly from CISCO to configure the 6509 Catalyst for NetFlow.

With most CISCO routers, there are two sets of commands used to enable NetFlow. However, with the 6509, there are technically three sets of commands.

To enable NetFlow on the router, you need the following:

ip flow-export source (insert interface name here)
ip flow-export version 5
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X)

ip flow-cache timeout active 1

Once those are in place, we now need to configure NetFlow for the switched traffic:

mls nde sender version 5
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64

After you have configured these globals, you now can configure each of the interfaces themselves for NetFlow:

ip route-cache flow
ip flow ingress

I have discussed the usage of the ip route-cache flow and ip flow ingress commands before. You might want to take look for more details.

That wasn’t so bad, was it?

Patrick

For a 30 day Trial of Scrutinizer, Click Here to Download!

Join the NetFlow Developments group on LinkedIn.

Tags: , , , , , ,

This entry was posted on Friday, January 30th, 2009 at 10:51 am and is filed under General, Network Traffic Analysis, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 Responses to “How do I configure NetFlow on my Cisco 6509 Catalyst?”

  1. Mike Tehan Says:
    March 10th, 2009 at 5:45 pm

    The document at Cisco describing how to configure NetFlow on the CAT6509 also has instructions to export netflow data gathered from layer 2 (ip flow export layer2-switched …)

    How does this effect the information collected and displayed in Scrutinzer?

  2. Nate Says:
    March 11th, 2009 at 7:15 am

    That’s a great question. I did a little digging on the CISCO website to find the difference and apparently IOS v12.2(18)SXE and later started to support NDE for bridged-traffic on VLANs.

    So ip flow export layer2-switched abc123 has a similar usage as ip flow ingress.

    I have yet to use this command in the 6509′s I’ve configured, but I would be interested in seeing it implemented.

    Anyone have a 6509 I can play with? :)

  3. Mike Tehan Says:
    March 23rd, 2009 at 4:33 pm

    Nate,
    We have turned this up on our two core 6500′s. These two devices are configured identically and we have the layer 2 set up so as long as the primary is alive it will do all of the routing between VLANs. We also assumed that the primary would do all of the switching, too. The NDE data from the “backup” 6500 shows a constant low level flow of traffic through what we thought was an idle switch. (mulitple traffic types on multiple VLANs)

    That’s interesting but the real mystery for me is that Scrutinizer seems to classify all of the traffic from both switches as Outbound. Any thoughts?

  4. kash Says:
    March 23rd, 2010 at 12:01 pm

    hi I am trying to configure Netflow on My 6500
    whihc has Sup 2 and
    MSFC has Cisco IOS whihc is working as a route processor
    and PFC had Catos which is working as a Switch processor
    and i have Setup netflow on my Route processor to monitor vlan 200 but I can only seeing 50 Kbps traffic how ever on physical interface i can 30 Mbps

    I would really appreciate your help

    Regards
    Kash

  5. Nathan Says:
    March 23rd, 2010 at 1:21 pm

    If you want to enable NetFlow using CatOS, you’ll want to use the following example as a guideline:

    Catos(enable)set mls nde enable
    Catos(enable)set mls nde version 5
    Catos(enable)set mls nde 10.1.1.1 9996

  6. What is NetFlow? - NetFlow & sFlow Network Monitoring - Systrax Says:
    July 21st, 2010 at 11:07 am

    [...] more and more vendors are enabling NetFlow or sFlow (sampled flows) on their switches, including Cisco 6500’s, Juniper EX3200/4200, HP Procurve, Enterasys, and many [...]

  7. Shawn Says:
    November 18th, 2011 at 1:34 pm

    Great tutorial! I just inputted these commands on my VSS Bundle.

    But my IOS did not acknowledge the final two commands… but when I checked
    my Neflow application I could see the flows.

    I attempted to input these commands while in interface config mode.

    IOS v: s72033-advipservicesk9_wan-mz.122-33.SXH8

    Could you explain why that is?

  8. Ben Moore Says:
    November 18th, 2011 at 3:10 pm

    Hello Shawn,

    We actually suggest to run just the command of ‘ip route-cache flow’. The reason being, that command is another way of saying ‘ip route ingress’.

    Here is more information here:
    http://www.plixer.com/blog/general/ip-route-cache-flow-or-ip-flow-ingress-which-do-i-use/

    If you have any questions, please let me know.

    Thanks,
    Ben

  9. Allen Says:
    January 11th, 2012 at 7:34 am

    I enabled netflow on the core 6509 but not receiving IN packets for the Fa interface with only showing Out flows. The “ip route-cache flow” is under the Fa interface with an assigned ip. Not sure what else is needed for the global. Please help.

  10. tomp@plixer.com Says:
    January 12th, 2012 at 3:27 pm

    ip route-cache flow is a command that only looks at source traffic on an interface. Since it looks only at one side of the interface, you need to enable all other active interfaces with ip route-cache flow in order to see the other side of that traffic, what comes in one interface needs to go out another. Let me know if that doesn’t make sense.

Leave a Reply