For some reason, this week I’ve been bombarded with questions regarding configuring the 6509 Catalyst for NetFlow.

Being a switch/router hybrid model, the configurations are a little different from standard CISCO routers models, like the 2811, but not too much.

I would also recommend checking out this great resource directly from CISCO to configure the 6509 Catalyst for NetFlow.

With most CISCO routers, there are two sets of commands used to enable NetFlow. However, with the 6509, there are technically three sets of commands.

To enable NetFlow on the router, you need the following:

ip flow-export source (insert interface name here)
ip flow-export version 5
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X)

ip flow-cache timeout active 1

Once those are in place, we now need to configure NetFlow for the switched traffic:

mls nde sender version 5
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64

After you have configured these globals, you now can configure each of the interfaces themselves for NetFlow:

ip route-cache flow

or

ip flow ingress

I have discussed the usage of the ip route-cache flow and ip flow ingress commands before. You might want to take look for more details.

That wasn’t so bad, was it?

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related

16 comments on “How do I configure NetFlow on my Cisco 6509 Catalyst?

  1. The document at Cisco describing how to configure NetFlow on the CAT6509 also has instructions to export netflow data gathered from layer 2 (ip flow export layer2-switched …)

    How does this effect the information collected and displayed in Scrutinzer?

  2. That’s a great question. I did a little digging on the CISCO website to find the difference and apparently IOS v12.2(18)SXE and later started to support NDE for bridged-traffic on VLANs.

    So ip flow export layer2-switched abc123 has a similar usage as ip flow ingress.

    I have yet to use this command in the 6509’s I’ve configured, but I would be interested in seeing it implemented.

    Anyone have a 6509 I can play with? 🙂

  3. Nate,
    We have turned this up on our two core 6500’s. These two devices are configured identically and we have the layer 2 set up so as long as the primary is alive it will do all of the routing between VLANs. We also assumed that the primary would do all of the switching, too. The NDE data from the “backup” 6500 shows a constant low level flow of traffic through what we thought was an idle switch. (mulitple traffic types on multiple VLANs)

    That’s interesting but the real mystery for me is that Scrutinizer seems to classify all of the traffic from both switches as Outbound. Any thoughts?

  4. hi I am trying to configure Netflow on My 6500
    whihc has Sup 2 and
    MSFC has Cisco IOS whihc is working as a route processor
    and PFC had Catos which is working as a Switch processor
    and i have Setup netflow on my Route processor to monitor vlan 200 but I can only seeing 50 Kbps traffic how ever on physical interface i can 30 Mbps

    I would really appreciate your help

    Regards
    Kash

  5. If you want to enable NetFlow using CatOS, you’ll want to use the following example as a guideline:

    Catos(enable)set mls nde enable
    Catos(enable)set mls nde version 5
    Catos(enable)set mls nde 10.1.1.1 9996

  6. Great tutorial! I just inputted these commands on my VSS Bundle.

    But my IOS did not acknowledge the final two commands… but when I checked
    my Neflow application I could see the flows.

    I attempted to input these commands while in interface config mode.

    IOS v: s72033-advipservicesk9_wan-mz.122-33.SXH8

    Could you explain why that is?

  7. I enabled netflow on the core 6509 but not receiving IN packets for the Fa interface with only showing Out flows. The “ip route-cache flow” is under the Fa interface with an assigned ip. Not sure what else is needed for the global. Please help.

    1. ip route-cache flow is a command that only looks at source traffic on an interface. Since it looks only at one side of the interface, you need to enable all other active interfaces with ip route-cache flow in order to see the other side of that traffic, what comes in one interface needs to go out another. Let me know if that doesn’t make sense.

  8. Hi,

    i have many L2 port channels configured as L2 trunk interfaces. i would like to get the netflow information from these port channels so that i can see which vlans, and how much traffic per vlan, source IP, etc, uses each of these L2 port channels.

    is this possible?

  9. Hi Johan,

    You can configure the MLS commands and use the ip flow ingress layer2-switched vlan command to specify the vlan(s) that you want to monitor. Then you can select the vlans that make up a particular port channel in a report to see things like top source IP’s, conversations, applications.

Comments are closed.