At the support desk we often help customers set up configurations to enable NetFlow and sFlow on a number of different device types. The device types always seem to come in waves, or what I call, “the flavor of the week.” Last week I set up a number of Cisco ASA firewalls. This week I have been setting up a bunch of Cisco 6500 Catalyst Series Switches.
Often customers initially set these Cisco switches up with the traditional NetFlow commands and then see traffic under reported when looking at details from our NetFlow reporting tool.
When configuring the 6500 Catalyst for flow monitoring you must remember to add the appropriate MLS commands to enable flow monitoring of the Layer 2 switched traffic. We have an excellent 6509 configuration blog that I reference on each of these set up calls that explains all of the commands needed to correctly get the switch configured.
We recommend that you use the INTERFACE-FULL option when configuring the flow mask on the MLS FLOW command.
Why is this important?
The flow mask defines the format of a cache entry in the NetFlow cache table. You can configure the flow mask type depending on your requirement. If all the network admin cares about is aggregated usage statistics on a source or destination IP basis, then the shortened flow masks might be useful. Additionally, shorter mask sizes result in smaller cache/TCAM utilization. But because Scrutinizer is mostly geared toward the application of NetFlow in an enterprise environment our customers usually want to see the full flow information.
This is the list of flow masks available.
- source-only—A less-specific flow mask. One entry for each source IP address is maintained. All flows from a given source IP address use this entry.
- destination—Like source-only, a less-specific flow mask. One entry for each destination IP address is maintained. All flows to a given destination IP address use this entry.
- destination-source—A more-specific flow mask. One entry for each source and destination IP address pair. All flows between same source and destination IP addresses use this entry.
- destination-source-interface—A more-specific flow mask. Adds the source VLAN Simple Network Management Protocol (SNMP) ifIndex to the information in the destination-source flow mask.
- full—A more-specific flow mask. The PFC creates and maintains a separate cache entry for each IP flow. A full entry includes the source IP address, destination IP address, protocol, and protocol interfaces.
- interface-full—The most-specific flow mask. Adds the source VLAN SNMP ifIndex to the information in the full-flow mask.
Here is a diagram that does a great job illustrating the different mls masking options available in the Catalyst 6500.
Check Cisco’s configuration guide for more information on all of the NetFlow configuration commands on the Catalyst 6500 Switch.
If you want help configuring your devices for NetFlow monitoring and export, or if you would like me to show you how Scrutinizer and NetFlow can provide clear visibility into what kind of traffic is taking place on your network.
Give me a call – (207)324-8805