Are you trying to get hardware and software based NetFlow from your Cisco Catalyst 4506 or Catalyst 6500 series switch? The Introduction to Cisco IOS NetFlow page does a great job explaining how to set this up.  Below is a paste from the document:

The Cisco Catalyst 6500 Series Switch has two aspects of NetFlow configuration, configuration of hardware based NetFlow and software NetFlow. Almost all flows on the Cisco Catalyst 6500 Series Switch are hardware switched and the MLS commands are used to characterize NetFlow in hardware. The MSFC (software based NetFlow) will characterize software based flows for packets that are punted up to the MSFC. Figure 8 shows the concept of two paths for NetFlow packets, the hardware and software paths and the configuration for each path.
Normally on Cisco Catalyst 6500 Series Switch both hardware and software based NetFlow is configured.

Figure 6. NetFlow flow characterization on Cisco Catalyst 6500 Series Switch

The hardware switched flows use the MLS commands to configure NetFlow. Remember for hardware based flows, NetFlow is enabled on all interfaces when configured.

  • mls aging normal 32 (Set aging of inactive flows to 32 seconds)
  • mls flow ip interface-full (Optionally configure a flow mask)
  • mls nde sender version 5 (Specify the version for export from the PFC)
  • mls nde interface (send interface information with the export, command available by default with Supervisor720/Supervisor 32)

The following is the configurations for NetFlow on the MSFC for software based flows. This configuration is equivalent to what is shown in Appendix A. The user configures NetFlow per interface to activate flow characterization and also configures an export destination for the hardware and software switched flows.
interface POS9/14

  • ip address 42.50.31.1 255.255.255.252
  • ip route-cache flow (also ip flow ingress can be used)
  • ip flow-export version 5 (The export version is setup for the software flows exported from the MSFC)
  • ip flow-export destination 10.1.1.209 9999 (The destination for hardware and software flows is specified).

More Information on the Cisco Catalyst 6500 Series Switch NetFlow Configuration can be viewed at: http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html#anchor7

The above is only a paste from the actual page.  I found some great ‘show’ commands on it as well.

Ingress Vs. Egress
Are you planning on exporting ingress or egress  flows?  Do you care? If you are trouble shooting the NetFlow configuration of a Catalyst 6500 or 6000 switch you might.  “When both the ip flow ingress and ip flow egress are enabled on the BVI interface, then it leads to receive duplicate packets. Usually the netflow is configured either only in ingress or egress, since netflow works on a per interface basis.” Source.

Our NetFlow Analyzer can be used for this type of network traffic monitoring and handles a mix of ingress or egress just fine.  It is one of the few that can!

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply