Catalyst 6500

From IPFlow Netflow Collector

Table of contents
1 Introduction
2 IOS configuration
3 Displaying Export Statistics
4 Displaying the Netflow caches
[edit]

Introduction

A Cisco Catalyst 6500 running a Supervisor-IOS image (called "native IOS") can export flows in different ways:

  • By the PFC (Policy Feature Card), for traffic routed in hardware.
  • By the MSFC (Multi-layer Switching Feature Card), for traffic routed in software.


Typically, the PFC exports flows with Netflow v5 or v7. Depending on the IOS release, the MSFC exports flows with Netflow v1, v5, and now v9.

You can refer to this Cisco documentation: Catalyst 6500 - Configuring NetFlow Data Export (NDE) (http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2b.htm|Cisco)


[edit]

IOS configuration

At UTC (http://www.utc.fr), we are currently using a Catalyst 6500 with a SUP720A supervisor card, with IOS 12.2(18)SXD3.

The configuration is: 

!
! By default, Netflow v7 is used by the PFC
mls nde sender
!
! MSFC export configuration
ip flow-export source Vlan3
ip flow-export version 9
ip flow-export destination 172.20.0.3 10000
!

Please note that the export destination for the PFC is the same than for the MSFC. It is not possible to specify a different export destination for the PFC. The "ip route-cache flow" command is required on routed interfaces for Netflow on the MSFC.


[edit]

Displaying Export Statistics

You can easily obtain statistics about Netflow packets sent by the PFC, with the "show mls nde" command: 

C6500#sh mls nde 
 Netflow Data Export enabled 
 Exporting flows to  172.20.0.3 (10000)
 Exporting flows from XXX.YYY.ZZZ.W (50192)
 Version: 7
 Include Filter not configured 
 Exclude Filter not configured 
 Total Netflow Data Export Packets are:
    17002494 packets, 0 no packets, 306508524 records
 Total Netflow Data Export Send Errors:
        IPWRITE_NO_FIB = 0
        IPWRITE_ADJ_FAILED = 0
        IPWRITE_PROCESS = 0
        IPWRITE_ENQUEUE_FAILED = 0
        IPWRITE_IPC_FAILED = 0
        IPWRITE_OUTPUT_FAILED = 0
        IPWRITE_MTU_FAILED = 0
        IPWRITE_ENCAPFIX_FAILED = 0
 Netflow Aggregation Disabled

For the MSFC, the statistics are obtained with the traditionnal command "sh ip flow export": 

C6500#sh ip flow export 
Flow export v9 is enabled for main cache
  Exporting flows to 172.20.0.3 (10000)
  Exporting using source interface Vlan3
  Version 9 flow records
  215141864 flows exported in 7015004 udp datagrams
  0 flows failed due to lack of export packet
  4 export packets were sent up to process level
  0 export packets were dropped due to no fib
  132 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
  0 export packets were dropped enqueuing for the RP
  0 export packets were dropped due to IPC rate limiting


[edit]

Displaying the Netflow caches

With the PFC, you have the set of "sh mls netflow [...]" commands: 

C6500#sh mls netflow ip nowrap 
Displaying Netflow entries in Supervisor Earl
DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f          :AdjPtr      Pkts         Bytes         Age    LastSeen   Attributes
------------------------------------------------------------------------------------------------------------------------------------------
21.126.239.52   172.18.130.117  tcp :3026   :445      Vl5              :0x0         0            0             93    11:29:22   L3 - Dynamic
82.255.7.94     195.83.155.17   tcp :www    :2636     Vl3              :0x0         42           52025         145   11:28:24   L3 - Dynamic
195.83.155.55   213.48.102.229  tcp :9124   :58903    Vl800            :0x0         14005        15070107      1792  11:30:46   L3 - Dynamic
172.22.5.1      172.16.0.55     udp :137    :137      Vl3              :0x0         1            90            225   11:27:01   L3 - Dynamic
195.83.155.16   64.12.139.7     udp :9253   :dns      Vl800            :0x0         1            84            57    11:29:49   L3 - Dynamic

Remark: there is a "sh mls netflow ipv6" command, but no way to export Netflow-IPv6 flows at this time.


For the MSFC, the classical "sh ip cache flow" command is still used: 

C6500#sh ip ca f
IP packet size distribution (590452090 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .003 .774 .056 .005 .005 .018 .008 .017 .012 .004 .028 .001 .007 .000 .002

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .001 .036 .012 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 6553988 bytes
  644 active, 64892 inactive, 309597612 added
  79224922 ager polls, 0 flow alloc failures
  Active flows timeout in 5 minutes
  Inactive flows timeout in 10 seconds
IP Sub Flow Cache, 270600 bytes
  588 active, 15796 inactive, 145283898 added, 145281457 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never

[... detailed protocol statistics suppressed ...]

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Vl8           172.21.3.50     Null          172.22.67.47    06 125F 0087     1 
Vl8           172.21.3.50     Null          172.22.67.45    06 125D 0087     1 
Vl8           172.21.3.50     Null          172.22.66.239   06 121F 0087     1 
Vl8           172.21.3.50     Null          172.22.66.237   06 121D 0087     1
Retrieved from "http://www.ipflow.utc.fr/index.php/Catalyst_6500"