From uttam.shrestha.rana at gmail.com Thu Mar 4 01:56:46 2010 From: uttam.shrestha.rana at gmail.com (Uttam Shrestha Rana) Date: Thu Mar 4 01:56:52 2010 Subject: [Flow-tools] Flow- Tools help on configuration. Message-ID: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> Dear All, I have configured(Juniper M10i) sampling traffic input on all the interfaces, and configured forwarding-option with max-packet per second 7000, rate 100 and run-length 0, means 1 packet out of 100. I am using RE based sampling. On the server side we are using flow-tool FlowScan as a data collector. In my view the router is exporting exactly as we have configured on the forwarding-option. But we want some what exact level ( our total BW as we can see on MRTG) traffic graph on flow-tool flowScan data collector. To do this I think there can be an option on flow-tool so it can calculate the exported data and show exact traffic. Is there any idea how ?? If provided some example on it then will be great help from excellence like you. Thank you, Regards, Uttam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100304/3fa22e55/attachment.htm From drew.weaver at thenap.com Thu Mar 4 07:55:44 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu Mar 4 07:55:49 2010 Subject: [Flow-tools] Flow- Tools help on configuration. In-Reply-To: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> References: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> Message-ID: Why wouldn't you just use RTG (SNMP) for this since that is what it was made for. NetFlow accounting is almost always inaccurate by a power of 10. thanks, -Drew From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Uttam Shrestha Rana Sent: Thursday, March 04, 2010 1:57 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Flow- Tools help on configuration. Dear All, I have configured(Juniper M10i) sampling traffic input on all the interfaces, and configured forwarding-option with max-packet per second 7000, rate 100 and run-length 0, means 1 packet out of 100. I am using RE based sampling. On the server side we are using flow-tool FlowScan as a data collector. In my view the router is exporting exactly as we have configured on the forwarding-option. But we want some what exact level ( our total BW as we can see on MRTG) traffic graph on flow-tool flowScan data collector. To do this I think there can be an option on flow-tool so it can calculate the exported data and show exact traffic. Is there any idea how ?? If provided some example on it then will be great help from excellence like you. Thank you, Regards, Uttam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100304/2dcbf375/attachment.htm From jloiacon at csc.com Thu Mar 4 08:59:49 2010 From: jloiacon at csc.com (Joe Loiacono) Date: Thu Mar 4 09:00:03 2010 Subject: [Flow-tools] Flow- Tools help on configuration. In-Reply-To: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> References: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> Message-ID: Uttam, FlowViewer, an easy-install web companion tool for flow-tools, has an option to view results adjusted for sampling. http://ensight.eos.nasa.gov/FlowViewer Joe Loiacono Network Engineering, Sr. Principal Leader CSC 7900 Harkins Road, Lanham, MD 20706 IT Infrastructure Solutions | p: +1-301.731-6754 | m: +1-410.300-3804 | jloiacon@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. |------------> | From: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |Uttam Shrestha Rana | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |flow-tools@list.splintered.net | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |03/04/2010 01:57 AM | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |[Flow-tools] Flow- Tools help on configuration. | >----------------------------------------------------------------------------------------------------------------------------------------| Dear All, I have configured(Juniper M10i) sampling traffic input on all the interfaces, and configured forwarding-option with max-packet per second 7000, rate 100 and run-length 0, means 1 packet out of 100. I am using RE based sampling. On the server side we are using flow-tool FlowScan as a data collector. In my view the router is exporting exactly as we have configured on the forwarding-option. But we want some what exact level ( our total BW as we can see on MRTG) traffic graph on flow-tool flowScan data collector. To do this I think there can be an option on flow-tool so it can calculate the exported data and show exact traffic. Is there any idea how ?? If provided some example on it then will be great help from?excellence like you.?. Thank you, Regards, Uttam_______________________________________________ Flow-tools mailing list flow-tools@splintered.net http://mailman.splintered.net/mailman/listinfo/flow-tools From eugene.ray at gmail.com Thu Mar 4 12:24:27 2010 From: eugene.ray at gmail.com (Eugene Ray) Date: Thu Mar 4 12:24:44 2010 Subject: [Flow-tools] Flow- Tools help on configuration. In-Reply-To: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> References: <75af52521003032256y4ab4a46bsa8322e63bd89b158@mail.gmail.com> Message-ID: <125c21281003040924k1a661edy22993910d2a9deed@mail.gmail.com> Hi Uttam, You cannot see *exact* traffic with flow sampling, and you can't have Junipers exporting flows without some sampling (at least this is how it was a year ago). But maybe you can bring it down to 1:50 or 1:30 depending on your traffic. In any case you will get an estimated traffic, not exact. If you are simply interested in more detailed reports than graphs, then sure flow-tools will work for you. There are several different utilities that can do different things, you probably can learn a lot from the man pages, while you are trying to figure out what exactly you want to calculate/report. Thanks, Eugene On Wed, Mar 3, 2010 at 10:56 PM, Uttam Shrestha Rana < uttam.shrestha.rana@gmail.com> wrote: > Dear All, > > I have configured(Juniper M10i) sampling traffic input on all the > interfaces, and > configured forwarding-option with max-packet per second 7000, rate 100 and > run-length 0, means 1 packet out of 100. I am using RE based sampling. On > the server side we are using flow-tool FlowScan as a data collector. In my > view the router is exporting exactly as we have configured on the > forwarding-option. But we want some what exact level ( our total BW as we > can see on MRTG) > traffic graph on flow-tool flowScan data collector. To do this I think > there > can be an option on flow-tool so it can calculate the exported data and > show > exact traffic. > > Is there any idea how ?? If provided some example on it then will be great > help from excellence like you. > > > Thank you, > > Regards, > Uttam > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100304/63f96b9c/attachment.htm From tformoso at Syracuse.com Mon Mar 8 10:46:55 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 10:47:00 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 Message-ID: <085C512A01485B478CD34223F939F91901981B21@EXCHANGE.Syracuse.Local> Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/1e13a8f9/attachment.htm From greg.volk at edwardjones.com Mon Mar 8 11:18:49 2010 From: greg.volk at edwardjones.com (Volk,Gregory B) Date: Mon Mar 8 11:18:53 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B21@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B21@EXCHANGE.Syracuse.Local> Message-ID: <358F7D4F4C922249B11B3849AC18747CA39207@nwpsrv07.edj.ad.edwardjones.com> Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/a04ef2df/attachment.htm From tformoso at Syracuse.com Mon Mar 8 11:30:05 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 11:30:08 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <358F7D4F4C922249B11B3849AC18747CA39207@nwpsrv07.edj.ad.edwardjones.com> Message-ID: <085C512A01485B478CD34223F939F91901981B25@EXCHANGE.Syracuse.Local> Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/d1eb7390/attachment-0001.htm From greg.volk at edwardjones.com Mon Mar 8 11:50:21 2010 From: greg.volk at edwardjones.com (Volk,Gregory B) Date: Mon Mar 8 11:50:25 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B25@EXCHANGE.Syracuse.Local> References: <358F7D4F4C922249B11B3849AC18747CA39207@nwpsrv07.edj.ad.edwardjones.com> <085C512A01485B478CD34223F939F91901981B25@EXCHANGE.Syracuse.Local> Message-ID: <358F7D4F4C922249B11B3849AC18747CA3925F@nwpsrv07.edj.ad.edwardjones.com> > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/e5c4aefd/attachment.htm From tformoso at Syracuse.com Mon Mar 8 11:57:12 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 11:57:16 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <358F7D4F4C922249B11B3849AC18747CA3925F@nwpsrv07.edj.ad.edwardjones.com> Message-ID: <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> Greg, We are not running IOS-XR, however this is almost the same and I can set this up. With the loopback0 interface setup what are the commands I need to run, so that I am monitoring this device correctly with netflow? Would it be: ip flow-export source loopback0 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (loopback0): (Not sure if this is needed for the loopback interface?) ip route-cache flow Thanks for the help. ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:50 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/0eeb728b/attachment-0001.htm From drew.weaver at thenap.com Mon Mar 8 12:12:47 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon Mar 8 12:12:50 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> References: <358F7D4F4C922249B11B3849AC18747CA3925F@nwpsrv07.edj.ad.edwardjones.com> <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> Message-ID: Be really careful with NetFlow on the 6500 it can easily crush the Supervisor if you're not careful. From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 11:57 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Greg, We are not running IOS-XR, however this is almost the same and I can set this up. With the loopback0 interface setup what are the commands I need to run, so that I am monitoring this device correctly with netflow? Would it be: ip flow-export source loopback0 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (loopback0): (Not sure if this is needed for the loopback interface?) ip route-cache flow Thanks for the help. ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:50 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configuration/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/bcdfdc81/attachment.htm From tformoso at Syracuse.com Mon Mar 8 12:17:17 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 12:17:59 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: Message-ID: <085C512A01485B478CD34223F939F91901981B28@EXCHANGE.Syracuse.Local> Thanks Drew. This is my first time setting up NetFlow on a 6509 and the last thing I want to do is have problems. How does NetFlow crush the supervisor? What should I watch out for so that does not happen? Thanks ________________________________ From: Drew Weaver [mailto:drew.weaver@thenap.com] Sent: Monday, March 08, 2010 12:13 PM To: Travis Formoso Cc: 'flow-tools@list.splintered.net' Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Be really careful with NetFlow on the 6500 it can easily crush the Supervisor if you're not careful. From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 11:57 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Greg, We are not running IOS-XR, however this is almost the same and I can set this up. With the loopback0 interface setup what are the commands I need to run, so that I am monitoring this device correctly with netflow? Would it be: ip flow-export source loopback0 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (loopback0): (Not sure if this is needed for the loopback interface?) ip route-cache flow Thanks for the help. ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:50 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/7cfbd1d3/attachment-0001.htm From Ken.Hagen at seattle.gov Mon Mar 8 12:21:50 2010 From: Ken.Hagen at seattle.gov (Hagen, Ken) Date: Mon Mar 8 12:21:57 2010 Subject: [Flow-tools] unsubscribe Message-ID: Ken Hagen CCNP Department of Information Technology City of Seattle W: (206) 386-1503 C: (206) 255-8391 E: ken.hagen@seattle.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/d040cf79/attachment.htm From greg.volk at edwardjones.com Mon Mar 8 12:29:48 2010 From: greg.volk at edwardjones.com (Volk,Gregory B) Date: Mon Mar 8 12:29:54 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> References: <358F7D4F4C922249B11B3849AC18747CA3925F@nwpsrv07.edj.ad.edwardjones.com> <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> Message-ID: <358F7D4F4C922249B11B3849AC18747CA392B1@nwpsrv07.edj.ad.edwardjones.com> It's been a while since I exported netflow data from a 65xx box, but I think this is the config I used in the past: ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-export destination 192.168.137.7 2055 mls aging fast threshold 1 mls aging long 300 mls flow ip full mls nde sender Be advised tho that netflow requires resources from a router utilization perspective. It does require some CPU to generate those UDP datagrams and populate them with data. You may want to test these commands prior to implementation, or at least implement during a low traffic time and watch the CPU. I stopped using netflow data from my 65xx's several years ago when we went to IOS 12.2(18)SXD7 because that IOS had a bug where the netflow data was bogus. We are in the process of upgrading to 6509-E's with sup720's so I'm looking forward to getting the data back now. I don't know how applicable the above commands are to more recent IOS versions. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:57 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Greg, We are not running IOS-XR, however this is almost the same and I can set this up. With the loopback0 interface setup what are the commands I need to run, so that I am monitoring this device correctly with netflow? Would it be: ip flow-export source loopback0 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (loopback0): (Not sure if this is needed for the loopback interface?) ip route-cache flow Thanks for the help. ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:50 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/31d32da0/attachment-0001.htm From tformoso at Syracuse.com Mon Mar 8 12:42:30 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 12:42:32 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <358F7D4F4C922249B11B3849AC18747CA392B1@nwpsrv07.edj.ad.edwardjones.com> Message-ID: <085C512A01485B478CD34223F939F91901981B2D@EXCHANGE.Syracuse.Local> Greg, One question before setting up the loopback0 interface. Does it matter what IP address I use (obviously not one in use.)? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 12:30 PM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 It's been a while since I exported netflow data from a 65xx box, but I think this is the config I used in the past: ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-export destination 192.168.137.7 2055 mls aging fast threshold 1 mls aging long 300 mls flow ip full mls nde sender Be advised tho that netflow requires resources from a router utilization perspective. It does require some CPU to generate those UDP datagrams and populate them with data. You may want to test these commands prior to implementation, or at least implement during a low traffic time and watch the CPU. I stopped using netflow data from my 65xx's several years ago when we went to IOS 12.2(18)SXD7 because that IOS had a bug where the netflow data was bogus. We are in the process of upgrading to 6509-E's with sup720's so I'm looking forward to getting the data back now. I don't know how applicable the above commands are to more recent IOS versions. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:57 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Greg, We are not running IOS-XR, however this is almost the same and I can set this up. With the loopback0 interface setup what are the commands I need to run, so that I am monitoring this device correctly with netflow? Would it be: ip flow-export source loopback0 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (loopback0): (Not sure if this is needed for the loopback interface?) ip route-cache flow Thanks for the help. ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:50 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/6395c233/attachment.htm From drew.weaver at thenap.com Mon Mar 8 12:46:15 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon Mar 8 12:46:18 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B2D@EXCHANGE.Syracuse.Local> References: <358F7D4F4C922249B11B3849AC18747CA392B1@nwpsrv07.edj.ad.edwardjones.com> <085C512A01485B478CD34223F939F91901981B2D@EXCHANGE.Syracuse.Local> Message-ID: That is probably outside of the scope of this mailing list and leans into routing protocols and the like. -Drew From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 12:43 PM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Greg, One question before setting up the loopback0 interface. Does it matter what IP address I use (obviously not one in use.)? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 12:30 PM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 It's been a while since I exported netflow data from a 65xx box, but I think this is the config I used in the past: ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-export destination 192.168.137.7 2055 mls aging fast threshold 1 mls aging long 300 mls flow ip full mls nde sender Be advised tho that netflow requires resources from a router utilization perspective. It does require some CPU to generate those UDP datagrams and populate them with data. You may want to test these commands prior to implementation, or at least implement during a low traffic time and watch the CPU. I stopped using netflow data from my 65xx's several years ago when we went to IOS 12.2(18)SXD7 because that IOS had a bug where the netflow data was bogus. We are in the process of upgrading to 6509-E's with sup720's so I'm looking forward to getting the data back now. I don't know how applicable the above commands are to more recent IOS versions. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:57 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Greg, We are not running IOS-XR, however this is almost the same and I can set this up. With the loopback0 interface setup what are the commands I need to run, so that I am monitoring this device correctly with netflow? Would it be: ip flow-export source loopback0 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (loopback0): (Not sure if this is needed for the loopback interface?) ip route-cache flow Thanks for the help. ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:50 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > >What should the loopback interface look like? > Here's what one of mine looks like, but it requires some config integration with OSPF, assuming you're running OSPF. router#sho run int lo0 Building configuration... Current configuration : 128 bytes ! interface Loopback0 description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 255.255.255.255 ip pim sparse-mode end router# This doc from cisco... http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configuration/guide/hc3loop.html ...may help, but it's for IOS-XR. ________________________________ From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 10:30 AM To: Volk,Gregory B; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Hey Greg, On the 6509 there is currently no loopback interface so I will need to set this up. What should the loopback interface look like? Also once I set it to this loopback I will not need to export to the VLAN's as this would monitor all the ports? Thanks ________________________________ From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] Sent: Monday, March 08, 2010 11:19 AM To: Travis Formoso; flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Have you tried setting the source to a non-vlan (physical or loopback) interface like: ip flow-export source Loopback0 I don't know if that will fix your issue, but I always source my netflow data from a loopback interface that is dedicated for management traffic. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages@edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 9:47 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] Setting up NetFlow on 6509 Hello all, I am trying to setup a NetFlow product on our 6509. We have a number of different VLAN's across our network and I think I would want to monitor those VLAN's and that should capture the traffic on the 6509 (correct me if I am wrong.) The way the product is licensed is by source (a source is a router or switch.) When I try to setup netflow each VLAN comes in as a different source and I would like it if I can use the 6509 as just once source. Here are the commands I am using to set this up. in configuration mode: ip flow-export source vlan10 ip flow-export version 5 ip flow-export destination 172.20.200.50 Now I configure netflow for switched traffic: mls nde sender version 5 mls flow ip interface-full mls nde interface On the interface (vlan 10): ip route-cache flow After doing that I see that incoming traffic is being monitored by NetFlow, however as said that interface (VLAN) is coming in as a source, so if I configure another VLAN I now have 2 sources, but I would like to set this up so the 6509 is just one source, monitoring all the VLAN's. I wanted to know if these commands are correct, if I should be monitoring the VLAN's and if anyone knows how to set this up as explained above with the 6509 as one source. Thank you, Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100308/1eb898d2/attachment-0001.htm From mitchell at ucar.edu Mon Mar 8 12:54:39 2010 From: mitchell at ucar.edu (David Mitchell) Date: Mon Mar 8 12:54:42 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B26@EXCHANGE.Syracuse.Local> Message-ID: <4B9539DF.1090300@ucar.edu> Travis, when you add the second VLAN to monitor, do you add an additional source command? > ip flow-export source vlan10 You only need this command once. You also don't need it to be a loopback. If you have a loopback, then it's a good choice to use. But you don't need to create one just for this. All this command does is tell IOS what source address to use in outgoing netflow data packets. You could probably get away with not specify it at all, but then there is a chance that unrelated configuration changes would affect your netflow exports. -David Mitchell Travis Formoso wrote: > Greg, > > We are not running IOS-XR, however this is almost the same and I can set > this up. > > With the loopback0 interface setup what are the commands I need to run, > so that I am monitoring this device correctly with netflow? Would it be: > > ip flow-export source loopback0 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (loopback0): (Not sure if this is needed for the > loopback interface?) > ip route-cache flow > > Thanks for the help. > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:50 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > >> What should the loopback interface look like? >> > > Here's what one of mine looks like, but it requires some config > integration with OSPF, assuming you're running OSPF. > > > router#sho run int lo0 > Building configuration... > > Current configuration : 128 bytes > ! > interface Loopback0 > description *** MANAGEMENT & OSPF ID *** > ip address 10.130.25.1 255.255.255.255 > ip pim sparse-mode > end > > router# > > > This doc from cisco... > http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configur > ation/guide/hc3loop.html ...may help, but it's for IOS-XR. > > > > > > > ________________________________ > > From: Travis Formoso [mailto:tformoso@Syracuse.com] > Sent: Monday, March 08, 2010 10:30 AM > To: Volk,Gregory B; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Hey Greg, > > On the 6509 there is currently no loopback interface so I will > need to set this up. > > What should the loopback interface look like? > > Also once I set it to this loopback I will not need to export to > the VLAN's as this would monitor all the ports? > > Thanks > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:19 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Have you tried setting the source to a non-vlan (physical or > loopback) interface like: > > ip flow-export source Loopback0 > > I don't know if that will fix your issue, but I always source my > netflow data from a loopback interface that is dedicated for management > traffic. > > > > > > If you are not the intended recipient of this message > (including attachments), or if you have received this message in error, > immediately notify us and delete it and any attachments. If you no > longer wish to receive e-mail from Edward Jones, please send this > request to messages@edwardjones.com. You must include the e-mail > address that you wish not to receive e-mail communications. For > important additional information related to this e-mail, visit > www.edwardjones.com/US_email_disclosure > > > > > > > > > > > ________________________________ > > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 9:47 AM > To: flow-tools@list.splintered.net > Subject: [Flow-tools] Setting up NetFlow on 6509 > > > Hello all, > > I am trying to setup a NetFlow product on our 6509. We > have a number of different VLAN's across our network and I think I would > want to monitor those VLAN's and that should capture the traffic on the > 6509 (correct me if I am wrong.) The way the product is licensed is by > source (a source is a router or switch.) When I try to setup netflow > each VLAN comes in as a different source and I would like it if I can > use the 6509 as just once source. Here are the commands I am using to > set this up. > > in configuration mode: > > ip flow-export source vlan10 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (vlan 10): > ip route-cache flow > > After doing that I see that incoming traffic is being > monitored by NetFlow, however as said that interface (VLAN) is coming in > as a source, so if I configure another VLAN I now have 2 sources, but I > would like to set this up so the 6509 is just one source, monitoring all > the VLAN's. > > I wanted to know if these commands are correct, if I > should be monitoring the VLAN's and if anyone knows how to set this up > as explained above with the 6509 as one source. > > Thank you, > > Travis > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- From tformoso at Syracuse.com Mon Mar 8 12:59:39 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 13:00:30 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <4B9539DF.1090300@ucar.edu> Message-ID: <085C512A01485B478CD34223F939F91901981B2E@EXCHANGE.Syracuse.Local> David, If I wanted to add a second VLAN I would do: Ip flow-export source vlan11 etc.. Once I do that it adds it as a second 'source.' I want to be able to monitor the 6509 with all VLANS and have it read as once source, because I am only licensed for 5 sources, however a source is considered a router/switch, but when I set this up with the VLAN's as above, they come in as separate sources. Is there another way to do it that I am missing? Thank you -----Original Message----- From: David Mitchell [mailto:mitchell@ucar.edu] Sent: Monday, March 08, 2010 12:55 PM To: Travis Formoso Cc: flow-tools@list.splintered.net Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis, when you add the second VLAN to monitor, do you add an additional source command? > ip flow-export source vlan10 You only need this command once. You also don't need it to be a loopback. If you have a loopback, then it's a good choice to use. But you don't need to create one just for this. All this command does is tell IOS what source address to use in outgoing netflow data packets. You could probably get away with not specify it at all, but then there is a chance that unrelated configuration changes would affect your netflow exports. -David Mitchell Travis Formoso wrote: > Greg, > > We are not running IOS-XR, however this is almost the same and I can > set this up. > > With the loopback0 interface setup what are the commands I need to > run, so that I am monitoring this device correctly with netflow? Would it be: > > ip flow-export source loopback0 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (loopback0): (Not sure if this is needed for the > loopback interface?) ip route-cache flow > > Thanks for the help. > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:50 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > >> What should the loopback interface look like? >> > > Here's what one of mine looks like, but it requires some config > integration with OSPF, assuming you're running OSPF. > > > router#sho run int lo0 > Building configuration... > > Current configuration : 128 bytes > ! > interface Loopback0 > description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 > 255.255.255.255 ip pim sparse-mode end > > router# > > > This doc from cisco... > http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/config > ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. > > > > > > > ________________________________ > > From: Travis Formoso [mailto:tformoso@Syracuse.com] > Sent: Monday, March 08, 2010 10:30 AM > To: Volk,Gregory B; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Hey Greg, > > On the 6509 there is currently no loopback interface so I will need > to set this up. > > What should the loopback interface look like? > > Also once I set it to this loopback I will not need to export to the > VLAN's as this would monitor all the ports? > > Thanks > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:19 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Have you tried setting the source to a non-vlan (physical or > loopback) interface like: > > ip flow-export source Loopback0 > > I don't know if that will fix your issue, but I always source my > netflow data from a loopback interface that is dedicated for > management traffic. > > > > > > If you are not the intended recipient of this message (including > attachments), or if you have received this message in error, > immediately notify us and delete it and any attachments. If you no > longer wish to receive e-mail from Edward Jones, please send this > request to messages@edwardjones.com. You must include the e-mail > address that you wish not to receive e-mail communications. For > important additional information related to this e-mail, visit > www.edwardjones.com/US_email_disclosure > > > > > > > > > > > ________________________________ > > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 9:47 AM > To: flow-tools@list.splintered.net > Subject: [Flow-tools] Setting up NetFlow on 6509 > > > Hello all, > > I am trying to setup a NetFlow product on our 6509. We have a number > of different VLAN's across our network and I think I would want to > monitor those VLAN's and that should capture the traffic on the > 6509 (correct me if I am wrong.) The way the product is licensed is by > source (a source is a router or switch.) When I try to setup netflow > each VLAN comes in as a different source and I would like it if I can > use the 6509 as just once source. Here are the commands I am using to > set this up. > > in configuration mode: > > ip flow-export source vlan10 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (vlan 10): > ip route-cache flow > > After doing that I see that incoming traffic is being monitored by > NetFlow, however as said that interface (VLAN) is coming in as a > source, so if I configure another VLAN I now have 2 sources, but I > would like to set this up so the 6509 is just one source, monitoring > all the VLAN's. > > I wanted to know if these commands are correct, if I should be > monitoring the VLAN's and if anyone knows how to set this up as > explained above with the 6509 as one source. > > Thank you, > > Travis > > > > > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- From drew.weaver at thenap.com Mon Mar 8 13:03:07 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon Mar 8 13:03:11 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B2E@EXCHANGE.Syracuse.Local> References: <4B9539DF.1090300@ucar.edu> <085C512A01485B478CD34223F939F91901981B2E@EXCHANGE.Syracuse.Local> Message-ID: You just add the ip route-cache flow or ip flow ingress on each interface you want monitored. -----Original Message----- From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 1:00 PM To: David Mitchell Cc: flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 David, If I wanted to add a second VLAN I would do: Ip flow-export source vlan11 etc.. Once I do that it adds it as a second 'source.' I want to be able to monitor the 6509 with all VLANS and have it read as once source, because I am only licensed for 5 sources, however a source is considered a router/switch, but when I set this up with the VLAN's as above, they come in as separate sources. Is there another way to do it that I am missing? Thank you -----Original Message----- From: David Mitchell [mailto:mitchell@ucar.edu] Sent: Monday, March 08, 2010 12:55 PM To: Travis Formoso Cc: flow-tools@list.splintered.net Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis, when you add the second VLAN to monitor, do you add an additional source command? > ip flow-export source vlan10 You only need this command once. You also don't need it to be a loopback. If you have a loopback, then it's a good choice to use. But you don't need to create one just for this. All this command does is tell IOS what source address to use in outgoing netflow data packets. You could probably get away with not specify it at all, but then there is a chance that unrelated configuration changes would affect your netflow exports. -David Mitchell Travis Formoso wrote: > Greg, > > We are not running IOS-XR, however this is almost the same and I can > set this up. > > With the loopback0 interface setup what are the commands I need to > run, so that I am monitoring this device correctly with netflow? Would it be: > > ip flow-export source loopback0 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (loopback0): (Not sure if this is needed for the > loopback interface?) ip route-cache flow > > Thanks for the help. > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:50 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > >> What should the loopback interface look like? >> > > Here's what one of mine looks like, but it requires some config > integration with OSPF, assuming you're running OSPF. > > > router#sho run int lo0 > Building configuration... > > Current configuration : 128 bytes > ! > interface Loopback0 > description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 > 255.255.255.255 ip pim sparse-mode end > > router# > > > This doc from cisco... > http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/config > ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. > > > > > > > ________________________________ > > From: Travis Formoso [mailto:tformoso@Syracuse.com] > Sent: Monday, March 08, 2010 10:30 AM > To: Volk,Gregory B; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Hey Greg, > > On the 6509 there is currently no loopback interface so I will need > to set this up. > > What should the loopback interface look like? > > Also once I set it to this loopback I will not need to export to the > VLAN's as this would monitor all the ports? > > Thanks > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:19 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Have you tried setting the source to a non-vlan (physical or > loopback) interface like: > > ip flow-export source Loopback0 > > I don't know if that will fix your issue, but I always source my > netflow data from a loopback interface that is dedicated for > management traffic. > > > > > > If you are not the intended recipient of this message (including > attachments), or if you have received this message in error, > immediately notify us and delete it and any attachments. If you no > longer wish to receive e-mail from Edward Jones, please send this > request to messages@edwardjones.com. You must include the e-mail > address that you wish not to receive e-mail communications. For > important additional information related to this e-mail, visit > www.edwardjones.com/US_email_disclosure > > > > > > > > > > > ________________________________ > > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 9:47 AM > To: flow-tools@list.splintered.net > Subject: [Flow-tools] Setting up NetFlow on 6509 > > > Hello all, > > I am trying to setup a NetFlow product on our 6509. We have a number > of different VLAN's across our network and I think I would want to > monitor those VLAN's and that should capture the traffic on the > 6509 (correct me if I am wrong.) The way the product is licensed is by > source (a source is a router or switch.) When I try to setup netflow > each VLAN comes in as a different source and I would like it if I can > use the 6509 as just once source. Here are the commands I am using to > set this up. > > in configuration mode: > > ip flow-export source vlan10 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (vlan 10): > ip route-cache flow > > After doing that I see that incoming traffic is being monitored by > NetFlow, however as said that interface (VLAN) is coming in as a > source, so if I configure another VLAN I now have 2 sources, but I > would like to set this up so the 6509 is just one source, monitoring > all the VLAN's. > > I wanted to know if these commands are correct, if I should be > monitoring the VLAN's and if anyone knows how to set this up as > explained above with the 6509 as one source. > > Thank you, > > Travis > > > > > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- _______________________________________________ Flow-tools mailing list flow-tools@splintered.net http://mailman.splintered.net/mailman/listinfo/flow-tools From tformoso at Syracuse.com Mon Mar 8 13:05:56 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 13:07:00 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: Message-ID: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> Drew, Right (I have to use ip route-cache because the ip flow ingress command does not work, might be our version,) however I still would need to the export command to let it know where to send the data to. Once I do the export on the two different vlans (will be more) it comes in the netflow program I am using as 2 different sources. -----Original Message----- From: Drew Weaver [mailto:drew.weaver@thenap.com] Sent: Monday, March 08, 2010 1:03 PM To: Travis Formoso Cc: flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 You just add the ip route-cache flow or ip flow ingress on each interface you want monitored. -----Original Message----- From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 1:00 PM To: David Mitchell Cc: flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 David, If I wanted to add a second VLAN I would do: Ip flow-export source vlan11 etc.. Once I do that it adds it as a second 'source.' I want to be able to monitor the 6509 with all VLANS and have it read as once source, because I am only licensed for 5 sources, however a source is considered a router/switch, but when I set this up with the VLAN's as above, they come in as separate sources. Is there another way to do it that I am missing? Thank you -----Original Message----- From: David Mitchell [mailto:mitchell@ucar.edu] Sent: Monday, March 08, 2010 12:55 PM To: Travis Formoso Cc: flow-tools@list.splintered.net Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis, when you add the second VLAN to monitor, do you add an additional source command? > ip flow-export source vlan10 You only need this command once. You also don't need it to be a loopback. If you have a loopback, then it's a good choice to use. But you don't need to create one just for this. All this command does is tell IOS what source address to use in outgoing netflow data packets. You could probably get away with not specify it at all, but then there is a chance that unrelated configuration changes would affect your netflow exports. -David Mitchell Travis Formoso wrote: > Greg, > > We are not running IOS-XR, however this is almost the same and I can > set this up. > > With the loopback0 interface setup what are the commands I need to > run, so that I am monitoring this device correctly with netflow? Would it be: > > ip flow-export source loopback0 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (loopback0): (Not sure if this is needed for the > loopback interface?) ip route-cache flow > > Thanks for the help. > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:50 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > >> What should the loopback interface look like? >> > > Here's what one of mine looks like, but it requires some config > integration with OSPF, assuming you're running OSPF. > > > router#sho run int lo0 > Building configuration... > > Current configuration : 128 bytes > ! > interface Loopback0 > description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 > 255.255.255.255 ip pim sparse-mode end > > router# > > > This doc from cisco... > http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/config > ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. > > > > > > > ________________________________ > > From: Travis Formoso [mailto:tformoso@Syracuse.com] > Sent: Monday, March 08, 2010 10:30 AM > To: Volk,Gregory B; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Hey Greg, > > On the 6509 there is currently no loopback interface so I will need > to set this up. > > What should the loopback interface look like? > > Also once I set it to this loopback I will not need to export to the > VLAN's as this would monitor all the ports? > > Thanks > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:19 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Have you tried setting the source to a non-vlan (physical or > loopback) interface like: > > ip flow-export source Loopback0 > > I don't know if that will fix your issue, but I always source my > netflow data from a loopback interface that is dedicated for > management traffic. > > > > > > If you are not the intended recipient of this message (including > attachments), or if you have received this message in error, > immediately notify us and delete it and any attachments. If you no > longer wish to receive e-mail from Edward Jones, please send this > request to messages@edwardjones.com. You must include the e-mail > address that you wish not to receive e-mail communications. For > important additional information related to this e-mail, visit > www.edwardjones.com/US_email_disclosure > > > > > > > > > > > ________________________________ > > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 9:47 AM > To: flow-tools@list.splintered.net > Subject: [Flow-tools] Setting up NetFlow on 6509 > > > Hello all, > > I am trying to setup a NetFlow product on our 6509. We have a number > of different VLAN's across our network and I think I would want to > monitor those VLAN's and that should capture the traffic on the > 6509 (correct me if I am wrong.) The way the product is licensed is by > source (a source is a router or switch.) When I try to setup netflow > each VLAN comes in as a different source and I would like it if I can > use the 6509 as just once source. Here are the commands I am using to > set this up. > > in configuration mode: > > ip flow-export source vlan10 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (vlan 10): > ip route-cache flow > > After doing that I see that incoming traffic is being monitored by > NetFlow, however as said that interface (VLAN) is coming in as a > source, so if I configure another VLAN I now have 2 sources, but I > would like to set this up so the 6509 is just one source, monitoring > all the VLAN's. > > I wanted to know if these commands are correct, if I should be > monitoring the VLAN's and if anyone knows how to set this up as > explained above with the 6509 as one source. > > Thank you, > > Travis > > > > > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- _______________________________________________ Flow-tools mailing list flow-tools@splintered.net http://mailman.splintered.net/mailman/listinfo/flow-tools From jof at thejof.com Mon Mar 8 13:06:58 2010 From: jof at thejof.com (Jonathan Lassoff) Date: Mon Mar 8 13:07:18 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B25@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B25@EXCHANGE.Syracuse.Local> Message-ID: <1268071324-sup-408@sfo.thejof.com> Excerpts from Travis Formoso's message of Mon Mar 08 08:30:05 -0800 2010: > Hey Greg, > > On the 6509 there is currently no loopback interface so I will need to > set this up. You could also use whatever IP interface you use to manage the device with. You'll need some sort of routing (dynamic or otherwise) pointing routes for your loopback address at your 6509, so unless you already have dynamic routing setup, I would recommend using a port just for management traffic? Depending on the supervisor module you have, there may be a built-in interface on there that wont burn up any ports on your linecards. > What should the loopback interface look like? > > Also once I set it to this loopback I will not need to export to the > VLAN's as this would monitor all the ports? Netflow summarizes some of the traffic flows in a hardware table. Most basically, the "export" process of this is just to package up binary descriptions of this table's contents and put them in UDP packets fired off at a configurable receiver to process these exported flow table entries. So, if you're using a loopback source, you can export flows for all the interfaces on your router from a single source. That way, you can re-configure customer VLANs at will without interrupting your flow exports. Cheers, jonathan From drew.weaver at thenap.com Mon Mar 8 13:10:03 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon Mar 8 13:10:09 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> Message-ID: You're supposed to specify multiple interfaces that you want to export the data for, not multiple exporters. You don't specify the source for each one, its the same source. -Drew -----Original Message----- From: Travis Formoso [mailto:tformoso@Syracuse.com] Sent: Monday, March 08, 2010 1:06 PM To: Drew Weaver Cc: flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Drew, Right (I have to use ip route-cache because the ip flow ingress command does not work, might be our version,) however I still would need to the export command to let it know where to send the data to. Once I do the export on the two different vlans (will be more) it comes in the netflow program I am using as 2 different sources. -----Original Message----- From: Drew Weaver [mailto:drew.weaver@thenap.com] Sent: Monday, March 08, 2010 1:03 PM To: Travis Formoso Cc: flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 You just add the ip route-cache flow or ip flow ingress on each interface you want monitored. -----Original Message----- From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis Formoso Sent: Monday, March 08, 2010 1:00 PM To: David Mitchell Cc: flow-tools@list.splintered.net Subject: RE: [Flow-tools] Setting up NetFlow on 6509 David, If I wanted to add a second VLAN I would do: Ip flow-export source vlan11 etc.. Once I do that it adds it as a second 'source.' I want to be able to monitor the 6509 with all VLANS and have it read as once source, because I am only licensed for 5 sources, however a source is considered a router/switch, but when I set this up with the VLAN's as above, they come in as separate sources. Is there another way to do it that I am missing? Thank you -----Original Message----- From: David Mitchell [mailto:mitchell@ucar.edu] Sent: Monday, March 08, 2010 12:55 PM To: Travis Formoso Cc: flow-tools@list.splintered.net Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis, when you add the second VLAN to monitor, do you add an additional source command? > ip flow-export source vlan10 You only need this command once. You also don't need it to be a loopback. If you have a loopback, then it's a good choice to use. But you don't need to create one just for this. All this command does is tell IOS what source address to use in outgoing netflow data packets. You could probably get away with not specify it at all, but then there is a chance that unrelated configuration changes would affect your netflow exports. -David Mitchell Travis Formoso wrote: > Greg, > > We are not running IOS-XR, however this is almost the same and I can > set this up. > > With the loopback0 interface setup what are the commands I need to > run, so that I am monitoring this device correctly with netflow? Would it be: > > ip flow-export source loopback0 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (loopback0): (Not sure if this is needed for the > loopback interface?) ip route-cache flow > > Thanks for the help. > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:50 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > >> What should the loopback interface look like? >> > > Here's what one of mine looks like, but it requires some config > integration with OSPF, assuming you're running OSPF. > > > router#sho run int lo0 > Building configuration... > > Current configuration : 128 bytes > ! > interface Loopback0 > description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 > 255.255.255.255 ip pim sparse-mode end > > router# > > > This doc from cisco... > http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/config > ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. > > > > > > > ________________________________ > > From: Travis Formoso [mailto:tformoso@Syracuse.com] > Sent: Monday, March 08, 2010 10:30 AM > To: Volk,Gregory B; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Hey Greg, > > On the 6509 there is currently no loopback interface so I will need > to set this up. > > What should the loopback interface look like? > > Also once I set it to this loopback I will not need to export to the > VLAN's as this would monitor all the ports? > > Thanks > > ________________________________ > > From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] > Sent: Monday, March 08, 2010 11:19 AM > To: Travis Formoso; flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > > Have you tried setting the source to a non-vlan (physical or > loopback) interface like: > > ip flow-export source Loopback0 > > I don't know if that will fix your issue, but I always source my > netflow data from a loopback interface that is dedicated for > management traffic. > > > > > > If you are not the intended recipient of this message (including > attachments), or if you have received this message in error, > immediately notify us and delete it and any attachments. If you no > longer wish to receive e-mail from Edward Jones, please send this > request to messages@edwardjones.com. You must include the e-mail > address that you wish not to receive e-mail communications. For > important additional information related to this e-mail, visit > www.edwardjones.com/US_email_disclosure > > > > > > > > > > > ________________________________ > > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 9:47 AM > To: flow-tools@list.splintered.net > Subject: [Flow-tools] Setting up NetFlow on 6509 > > > Hello all, > > I am trying to setup a NetFlow product on our 6509. We have a number > of different VLAN's across our network and I think I would want to > monitor those VLAN's and that should capture the traffic on the > 6509 (correct me if I am wrong.) The way the product is licensed is by > source (a source is a router or switch.) When I try to setup netflow > each VLAN comes in as a different source and I would like it if I can > use the 6509 as just once source. Here are the commands I am using to > set this up. > > in configuration mode: > > ip flow-export source vlan10 > ip flow-export version 5 > ip flow-export destination 172.20.200.50 > > Now I configure netflow for switched traffic: > mls nde sender version 5 > mls flow ip interface-full > mls nde interface > > On the interface (vlan 10): > ip route-cache flow > > After doing that I see that incoming traffic is being monitored by > NetFlow, however as said that interface (VLAN) is coming in as a > source, so if I configure another VLAN I now have 2 sources, but I > would like to set this up so the 6509 is just one source, monitoring > all the VLAN's. > > I wanted to know if these commands are correct, if I should be > monitoring the VLAN's and if anyone knows how to set this up as > explained above with the 6509 as one source. > > Thank you, > > Travis > > > > > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- _______________________________________________ Flow-tools mailing list flow-tools@splintered.net http://mailman.splintered.net/mailman/listinfo/flow-tools From jof at thejof.com Mon Mar 8 13:14:34 2010 From: jof at thejof.com (Jonathan Lassoff) Date: Mon Mar 8 13:14:52 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> Message-ID: <1268071671-sup-5917@sfo.thejof.com> Excerpts from Travis Formoso's message of Mon Mar 08 10:05:56 -0800 2010: > Drew, > > Right (I have to use ip route-cache because the ip flow ingress command > does not work, might be our version,) however I still would need to the > export command to let it know where to send the data to. > > Once I do the export on the two different vlans (will be more) it comes > in the netflow program I am using as 2 different sources. Use a single "ip flow-export destination ..." line. This should send all the flows in the table, not just ones for a certain interface -- I believe. For example, if I had VLANs 10 and 11 as customer interfaces, and Gi5/1 as a management interface. interface Gi5/1 ip address 10.0.0.1 255.255.255.0 no shutdown ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip route-cache flow no shutdown ! interface Vlan11 ip address 192.168.11.1 255.255.255.0 ip route-cache flow no shutdown ! mls nde sender version 5 mls flow ip interface-full mls nde interface ip flow-export source Gi5/1 ip flow-export destination 10.0.0.2 2055 With a configuration like this, I believe 10.0.0.2 should receive flow information for hosts on both Vlan10 and Vlan11 on UDP port 2055. Does this help? Cheers, jonathan P.S. In regards to your license limitation, I've had luck using the flow-fanout utility to multiplex multiple netflow exporters into what will appear to be a single stream. You would have to be using an application that relies on the netflow content to differentiate users and applications, since you wont be able to easily tell which router the export is coming from. From mitchell at ucar.edu Mon Mar 8 13:24:24 2010 From: mitchell at ucar.edu (David Mitchell) Date: Mon Mar 8 13:24:28 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B2F@EXCHANGE.Syracuse.Local> Message-ID: <4B9540D8.50205@ucar.edu> Travis Formoso wrote: > Drew, > > Right (I have to use ip route-cache because the ip flow ingress command > does not work, might be our version,) however I still would need to the > export command to let it know where to send the data to. The 'ip flow-export' commands are all global and only need to be specified once no matter how many interfaces you are monitoring. Netflow export has two main pieces of configuration. The per-interface configuration which gets data into the flow cache is one piece. It is repeated multiple times. The other piece is the configuration for where to send the data from the flow cache. Normally, it is only specified once. It is possible to have multiple netflow analysis servers which each get copies of the data, but it doesn't sound like that's your situation. -David Mitchell > > Once I do the export on the two different vlans (will be more) it comes > in the netflow program I am using as 2 different sources. > > -----Original Message----- > From: Drew Weaver [mailto:drew.weaver@thenap.com] > Sent: Monday, March 08, 2010 1:03 PM > To: Travis Formoso > Cc: flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > You just add the ip route-cache flow or ip flow ingress on each > interface you want monitored. > > > > -----Original Message----- > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 1:00 PM > To: David Mitchell > Cc: flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > David, > > If I wanted to add a second VLAN I would do: > > Ip flow-export source vlan11 etc.. > > Once I do that it adds it as a second 'source.' I want to be able to > monitor the 6509 with all VLANS and have it read as once source, because > I am only licensed for 5 sources, however a source is considered a > router/switch, but when I set this up with the VLAN's as above, they > come in as separate sources. > > Is there another way to do it that I am missing? > > Thank you > > -----Original Message----- > From: David Mitchell [mailto:mitchell@ucar.edu] > Sent: Monday, March 08, 2010 12:55 PM > To: Travis Formoso > Cc: flow-tools@list.splintered.net > Subject: Re: [Flow-tools] Setting up NetFlow on 6509 > > Travis, > > when you add the second VLAN to monitor, do you add an additional source > command? > >> ip flow-export source vlan10 > > You only need this command once. You also don't need it to be a > loopback. If you have a loopback, then it's a good choice to use. But > you don't need to create one just for this. All this command does is > tell IOS what source address to use in outgoing netflow data packets. > You could probably get away with not specify it at all, but then there > is a chance that unrelated configuration changes would affect your > netflow exports. > > -David Mitchell > > > > Travis Formoso wrote: >> Greg, >> >> We are not running IOS-XR, however this is almost the same and I can >> set this up. >> >> With the loopback0 interface setup what are the commands I need to >> run, so that I am monitoring this device correctly with netflow? Would > it be: >> >> ip flow-export source loopback0 >> ip flow-export version 5 >> ip flow-export destination 172.20.200.50 >> >> Now I configure netflow for switched traffic: >> mls nde sender version 5 >> mls flow ip interface-full >> mls nde interface >> >> On the interface (loopback0): (Not sure if this is needed for the >> loopback interface?) ip route-cache flow >> >> Thanks for the help. >> >> ________________________________ >> >> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >> Sent: Monday, March 08, 2010 11:50 AM >> To: Travis Formoso; flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> >>> What should the loopback interface look like? >>> >> >> Here's what one of mine looks like, but it requires some config >> integration with OSPF, assuming you're running OSPF. >> >> >> router#sho run int lo0 >> Building configuration... >> >> Current configuration : 128 bytes >> ! >> interface Loopback0 >> description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 >> 255.255.255.255 ip pim sparse-mode end >> >> router# >> >> >> This doc from cisco... >> http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/config >> ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. >> >> >> >> >> >> >> ________________________________ >> >> From: Travis Formoso [mailto:tformoso@Syracuse.com] >> Sent: Monday, March 08, 2010 10:30 AM >> To: Volk,Gregory B; flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> >> Hey Greg, >> >> On the 6509 there is currently no loopback interface so I will > need >> to set this up. >> >> What should the loopback interface look like? >> >> Also once I set it to this loopback I will not need to export to > the >> VLAN's as this would monitor all the ports? >> >> Thanks >> >> ________________________________ >> >> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >> Sent: Monday, March 08, 2010 11:19 AM >> To: Travis Formoso; flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> >> Have you tried setting the source to a non-vlan (physical or >> loopback) interface like: >> >> ip flow-export source Loopback0 >> >> I don't know if that will fix your issue, but I always source my > >> netflow data from a loopback interface that is dedicated for >> management traffic. >> >> >> >> >> >> If you are not the intended recipient of this message > (including >> attachments), or if you have received this message in error, >> immediately notify us and delete it and any attachments. If you no >> longer wish to receive e-mail from Edward Jones, please send this >> request to messages@edwardjones.com. You must include the e-mail >> address that you wish not to receive e-mail communications. For >> important additional information related to this e-mail, visit >> www.edwardjones.com/US_email_disclosure >> >> >> >> >> >> >> >> >> >> >> ________________________________ >> >> From: flow-tools-bounces@list.splintered.net >> [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis >> Formoso >> Sent: Monday, March 08, 2010 9:47 AM >> To: flow-tools@list.splintered.net >> Subject: [Flow-tools] Setting up NetFlow on 6509 >> >> >> Hello all, >> >> I am trying to setup a NetFlow product on our 6509. We > have a number >> of different VLAN's across our network and I think I would want to >> monitor those VLAN's and that should capture the traffic on the >> 6509 (correct me if I am wrong.) The way the product is licensed is by > >> source (a source is a router or switch.) When I try to setup netflow >> each VLAN comes in as a different source and I would like it if I can >> use the 6509 as just once source. Here are the commands I am using to >> set this up. >> >> in configuration mode: >> >> ip flow-export source vlan10 >> ip flow-export version 5 >> ip flow-export destination 172.20.200.50 >> >> Now I configure netflow for switched traffic: >> mls nde sender version 5 >> mls flow ip interface-full >> mls nde interface >> >> On the interface (vlan 10): >> ip route-cache flow >> >> After doing that I see that incoming traffic is being > monitored by >> NetFlow, however as said that interface (VLAN) is coming in as a >> source, so if I configure another VLAN I now have 2 sources, but I >> would like to set this up so the 6509 is just one source, monitoring >> all the VLAN's. >> >> I wanted to know if these commands are correct, if I > should be >> monitoring the VLAN's and if anyone knows how to set this up as >> explained above with the 6509 as one source. >> >> Thank you, >> >> Travis >> >> >> >> >> >> ---------------------------------------------------------------------- >> -- >> >> _______________________________________________ >> Flow-tools mailing list >> flow-tools@splintered.net >> http://mailman.splintered.net/mailman/listinfo/flow-tools > > > -- > ----------------------------------------------------------------- > | David Mitchell (mitchell@ucar.edu) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- From tformoso at Syracuse.com Mon Mar 8 13:30:03 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 13:30:07 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <4B9540D8.50205@ucar.edu> Message-ID: <085C512A01485B478CD34223F939F91901981B30@EXCHANGE.Syracuse.Local> OK I am starting to understand this. The problem is that I did use the export command for each VLAN so that caused them to come in as different sources. So for each interface (VLANS in this case) I would need to do: ip route-cache flow And then use the export command once to reach where I am collecting data. The question I have is when I use this command: "ip flow-export source" what is the interface I will use at the end of that command? Or do I just need to do: ip flow-export destination? Thanks -----Original Message----- From: David Mitchell [mailto:mitchell@ucar.edu] Sent: Monday, March 08, 2010 1:24 PM To: Travis Formoso Cc: Drew Weaver; flow-tools@list.splintered.net Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis Formoso wrote: > Drew, > > Right (I have to use ip route-cache because the ip flow ingress > command does not work, might be our version,) however I still would > need to the export command to let it know where to send the data to. The 'ip flow-export' commands are all global and only need to be specified once no matter how many interfaces you are monitoring. Netflow export has two main pieces of configuration. The per-interface configuration which gets data into the flow cache is one piece. It is repeated multiple times. The other piece is the configuration for where to send the data from the flow cache. Normally, it is only specified once. It is possible to have multiple netflow analysis servers which each get copies of the data, but it doesn't sound like that's your situation. -David Mitchell > > Once I do the export on the two different vlans (will be more) it > comes in the netflow program I am using as 2 different sources. > > -----Original Message----- > From: Drew Weaver [mailto:drew.weaver@thenap.com] > Sent: Monday, March 08, 2010 1:03 PM > To: Travis Formoso > Cc: flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > You just add the ip route-cache flow or ip flow ingress on each > interface you want monitored. > > > > -----Original Message----- > From: flow-tools-bounces@list.splintered.net > [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis > Formoso > Sent: Monday, March 08, 2010 1:00 PM > To: David Mitchell > Cc: flow-tools@list.splintered.net > Subject: RE: [Flow-tools] Setting up NetFlow on 6509 > > David, > > If I wanted to add a second VLAN I would do: > > Ip flow-export source vlan11 etc.. > > Once I do that it adds it as a second 'source.' I want to be able to > monitor the 6509 with all VLANS and have it read as once source, > because I am only licensed for 5 sources, however a source is > considered a router/switch, but when I set this up with the VLAN's as > above, they come in as separate sources. > > Is there another way to do it that I am missing? > > Thank you > > -----Original Message----- > From: David Mitchell [mailto:mitchell@ucar.edu] > Sent: Monday, March 08, 2010 12:55 PM > To: Travis Formoso > Cc: flow-tools@list.splintered.net > Subject: Re: [Flow-tools] Setting up NetFlow on 6509 > > Travis, > > when you add the second VLAN to monitor, do you add an additional > source command? > >> ip flow-export source vlan10 > > You only need this command once. You also don't need it to be a > loopback. If you have a loopback, then it's a good choice to use. But > you don't need to create one just for this. All this command does is > tell IOS what source address to use in outgoing netflow data packets. > You could probably get away with not specify it at all, but then there > is a chance that unrelated configuration changes would affect your > netflow exports. > > -David Mitchell > > > > Travis Formoso wrote: >> Greg, >> >> We are not running IOS-XR, however this is almost the same and I can >> set this up. >> >> With the loopback0 interface setup what are the commands I need to >> run, so that I am monitoring this device correctly with netflow? >> Would > it be: >> >> ip flow-export source loopback0 >> ip flow-export version 5 >> ip flow-export destination 172.20.200.50 >> >> Now I configure netflow for switched traffic: >> mls nde sender version 5 >> mls flow ip interface-full >> mls nde interface >> >> On the interface (loopback0): (Not sure if this is needed for the >> loopback interface?) ip route-cache flow >> >> Thanks for the help. >> >> ________________________________ >> >> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >> Sent: Monday, March 08, 2010 11:50 AM >> To: Travis Formoso; flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> >>> What should the loopback interface look like? >>> >> >> Here's what one of mine looks like, but it requires some config >> integration with OSPF, assuming you're running OSPF. >> >> >> router#sho run int lo0 >> Building configuration... >> >> Current configuration : 128 bytes >> ! >> interface Loopback0 >> description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 >> 255.255.255.255 ip pim sparse-mode end >> >> router# >> >> >> This doc from cisco... >> http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/confi >> g ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. >> >> >> >> >> >> >> ________________________________ >> >> From: Travis Formoso [mailto:tformoso@Syracuse.com] >> Sent: Monday, March 08, 2010 10:30 AM >> To: Volk,Gregory B; flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> >> Hey Greg, >> >> On the 6509 there is currently no loopback interface so I will > need >> to set this up. >> >> What should the loopback interface look like? >> >> Also once I set it to this loopback I will not need to export to > the >> VLAN's as this would monitor all the ports? >> >> Thanks >> >> ________________________________ >> >> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >> Sent: Monday, March 08, 2010 11:19 AM >> To: Travis Formoso; flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> >> Have you tried setting the source to a non-vlan (physical or >> loopback) interface like: >> >> ip flow-export source Loopback0 >> >> I don't know if that will fix your issue, but I always source my > >> netflow data from a loopback interface that is dedicated for >> management traffic. >> >> >> >> >> >> If you are not the intended recipient of this message > (including >> attachments), or if you have received this message in error, >> immediately notify us and delete it and any attachments. If you no >> longer wish to receive e-mail from Edward Jones, please send this >> request to messages@edwardjones.com. You must include the e-mail >> address that you wish not to receive e-mail communications. For >> important additional information related to this e-mail, visit >> www.edwardjones.com/US_email_disclosure >> >> >> >> >> >> >> >> >> >> >> ________________________________ >> >> From: flow-tools-bounces@list.splintered.net >> [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis >> Formoso >> Sent: Monday, March 08, 2010 9:47 AM >> To: flow-tools@list.splintered.net >> Subject: [Flow-tools] Setting up NetFlow on 6509 >> >> >> Hello all, >> >> I am trying to setup a NetFlow product on our 6509. We > have a number >> of different VLAN's across our network and I think I would want to >> monitor those VLAN's and that should capture the traffic on the >> 6509 (correct me if I am wrong.) The way the product is licensed is >> by > >> source (a source is a router or switch.) When I try to setup netflow >> each VLAN comes in as a different source and I would like it if I can >> use the 6509 as just once source. Here are the commands I am using to >> set this up. >> >> in configuration mode: >> >> ip flow-export source vlan10 >> ip flow-export version 5 >> ip flow-export destination 172.20.200.50 >> >> Now I configure netflow for switched traffic: >> mls nde sender version 5 >> mls flow ip interface-full >> mls nde interface >> >> On the interface (vlan 10): >> ip route-cache flow >> >> After doing that I see that incoming traffic is being > monitored by >> NetFlow, however as said that interface (VLAN) is coming in as a >> source, so if I configure another VLAN I now have 2 sources, but I >> would like to set this up so the 6509 is just one source, monitoring >> all the VLAN's. >> >> I wanted to know if these commands are correct, if I > should be >> monitoring the VLAN's and if anyone knows how to set this up as >> explained above with the 6509 as one source. >> >> Thank you, >> >> Travis >> >> >> >> >> >> --------------------------------------------------------------------- >> - >> -- >> >> _______________________________________________ >> Flow-tools mailing list >> flow-tools@splintered.net >> http://mailman.splintered.net/mailman/listinfo/flow-tools > > > -- > ----------------------------------------------------------------- > | David Mitchell (mitchell@ucar.edu) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- From tformoso at Syracuse.com Mon Mar 8 13:31:27 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 13:31:29 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <1268071671-sup-5917@sfo.thejof.com> Message-ID: <085C512A01485B478CD34223F939F91901981B31@EXCHANGE.Syracuse.Local> Jonathan, Yes starting to make sense. I just starting using the 6509's so trying to get used to them. I am not sure what the manangemnt interfaces are as they are not labled in the configuration file, but I understand what you are saying. -----Original Message----- From: Jonathan Lassoff [mailto:jof@thejof.com] Sent: Monday, March 08, 2010 1:15 PM To: Travis Formoso Cc: Drew Weaver; flow-tools Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Excerpts from Travis Formoso's message of Mon Mar 08 10:05:56 -0800 2010: > Drew, > > Right (I have to use ip route-cache because the ip flow ingress > command does not work, might be our version,) however I still would > need to the export command to let it know where to send the data to. > > Once I do the export on the two different vlans (will be more) it > comes in the netflow program I am using as 2 different sources. Use a single "ip flow-export destination ..." line. This should send all the flows in the table, not just ones for a certain interface -- I believe. For example, if I had VLANs 10 and 11 as customer interfaces, and Gi5/1 as a management interface. interface Gi5/1 ip address 10.0.0.1 255.255.255.0 no shutdown ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip route-cache flow no shutdown ! interface Vlan11 ip address 192.168.11.1 255.255.255.0 ip route-cache flow no shutdown ! mls nde sender version 5 mls flow ip interface-full mls nde interface ip flow-export source Gi5/1 ip flow-export destination 10.0.0.2 2055 With a configuration like this, I believe 10.0.0.2 should receive flow information for hosts on both Vlan10 and Vlan11 on UDP port 2055. Does this help? Cheers, jonathan P.S. In regards to your license limitation, I've had luck using the flow-fanout utility to multiplex multiple netflow exporters into what will appear to be a single stream. You would have to be using an application that relies on the netflow content to differentiate users and applications, since you wont be able to easily tell which router the export is coming from. From mitchell at ucar.edu Mon Mar 8 13:36:19 2010 From: mitchell at ucar.edu (David Mitchell) Date: Mon Mar 8 13:36:23 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <085C512A01485B478CD34223F939F91901981B30@EXCHANGE.Syracuse.Local> References: <085C512A01485B478CD34223F939F91901981B30@EXCHANGE.Syracuse.Local> Message-ID: <4B9543A3.1060604@ucar.edu> Travis Formoso wrote: > OK I am starting to understand this. The problem is that I did use the > export command for each VLAN so that caused them to come in as different > sources. > > So for each interface (VLANS in this case) I would need to do: > > ip route-cache flow > > And then use the export command once to reach where I am collecting > data. The question I have is when I use this command: > > "ip flow-export source" what is the interface I will use at the end of > that command? Or do I just need to do: It doesn't actually matter much what you use as the source address. It's only significance is really that that's how your receiver is going to organize the data. You don't want to have to change the source address in the future, so pick an interface you don't expect will ever move or go away. That's why most of us use our loopbacks, because they don't tend to change as subnets come and go. But really, in your case, just pick something and don't sweat it too much. -David Mitchell > > ip flow-export destination? > > Thanks > > -----Original Message----- > From: David Mitchell [mailto:mitchell@ucar.edu] > Sent: Monday, March 08, 2010 1:24 PM > To: Travis Formoso > Cc: Drew Weaver; flow-tools@list.splintered.net > Subject: Re: [Flow-tools] Setting up NetFlow on 6509 > > Travis Formoso wrote: >> Drew, >> >> Right (I have to use ip route-cache because the ip flow ingress >> command does not work, might be our version,) however I still would >> need to the export command to let it know where to send the data to. > > The 'ip flow-export' commands are all global and only need to be > specified once no matter how many interfaces you are monitoring. Netflow > export has two main pieces of configuration. The per-interface > configuration which gets data into the flow cache is one piece. It is > repeated multiple times. The other piece is the configuration for where > to send the data from the flow cache. Normally, it is only specified > once. It is possible to have multiple netflow analysis servers which > each get copies of the data, but it doesn't sound like that's your > situation. > > -David Mitchell > >> Once I do the export on the two different vlans (will be more) it >> comes in the netflow program I am using as 2 different sources. >> >> -----Original Message----- >> From: Drew Weaver [mailto:drew.weaver@thenap.com] >> Sent: Monday, March 08, 2010 1:03 PM >> To: Travis Formoso >> Cc: flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> You just add the ip route-cache flow or ip flow ingress on each >> interface you want monitored. >> >> >> >> -----Original Message----- >> From: flow-tools-bounces@list.splintered.net >> [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis >> Formoso >> Sent: Monday, March 08, 2010 1:00 PM >> To: David Mitchell >> Cc: flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> David, >> >> If I wanted to add a second VLAN I would do: >> >> Ip flow-export source vlan11 etc.. >> >> Once I do that it adds it as a second 'source.' I want to be able to >> monitor the 6509 with all VLANS and have it read as once source, >> because I am only licensed for 5 sources, however a source is >> considered a router/switch, but when I set this up with the VLAN's as >> above, they come in as separate sources. >> >> Is there another way to do it that I am missing? >> >> Thank you >> >> -----Original Message----- >> From: David Mitchell [mailto:mitchell@ucar.edu] >> Sent: Monday, March 08, 2010 12:55 PM >> To: Travis Formoso >> Cc: flow-tools@list.splintered.net >> Subject: Re: [Flow-tools] Setting up NetFlow on 6509 >> >> Travis, >> >> when you add the second VLAN to monitor, do you add an additional >> source command? >> >>> ip flow-export source vlan10 >> You only need this command once. You also don't need it to be a >> loopback. If you have a loopback, then it's a good choice to use. But >> you don't need to create one just for this. All this command does is >> tell IOS what source address to use in outgoing netflow data packets. >> You could probably get away with not specify it at all, but then there > >> is a chance that unrelated configuration changes would affect your >> netflow exports. >> >> -David Mitchell >> >> >> >> Travis Formoso wrote: >>> Greg, >>> >>> We are not running IOS-XR, however this is almost the same and I can >>> set this up. >>> >>> With the loopback0 interface setup what are the commands I need to >>> run, so that I am monitoring this device correctly with netflow? >>> Would >> it be: >>> >>> ip flow-export source loopback0 >>> ip flow-export version 5 >>> ip flow-export destination 172.20.200.50 >>> >>> Now I configure netflow for switched traffic: >>> mls nde sender version 5 >>> mls flow ip interface-full >>> mls nde interface >>> >>> On the interface (loopback0): (Not sure if this is needed for the >>> loopback interface?) ip route-cache flow >>> >>> Thanks for the help. >>> >>> ________________________________ >>> >>> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >>> Sent: Monday, March 08, 2010 11:50 AM >>> To: Travis Formoso; flow-tools@list.splintered.net >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>>> What should the loopback interface look like? >>>> >>> >>> Here's what one of mine looks like, but it requires some config >>> integration with OSPF, assuming you're running OSPF. >>> >>> >>> router#sho run int lo0 >>> Building configuration... >>> >>> Current configuration : 128 bytes >>> ! >>> interface Loopback0 >>> description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 >>> 255.255.255.255 ip pim sparse-mode end >>> >>> router# >>> >>> >>> This doc from cisco... >>> http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/confi >>> g ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: Travis Formoso [mailto:tformoso@Syracuse.com] >>> Sent: Monday, March 08, 2010 10:30 AM >>> To: Volk,Gregory B; flow-tools@list.splintered.net >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Hey Greg, >>> >>> On the 6509 there is currently no loopback interface so I will >> need >>> to set this up. >>> >>> What should the loopback interface look like? >>> >>> Also once I set it to this loopback I will not need to export to >> the >>> VLAN's as this would monitor all the ports? >>> >>> Thanks >>> >>> ________________________________ >>> >>> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >>> Sent: Monday, March 08, 2010 11:19 AM >>> To: Travis Formoso; flow-tools@list.splintered.net >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Have you tried setting the source to a non-vlan (physical or >>> loopback) interface like: >>> >>> ip flow-export source Loopback0 >>> >>> I don't know if that will fix your issue, but I always source my >>> netflow data from a loopback interface that is dedicated for >>> management traffic. >>> >>> >>> >>> >>> >>> If you are not the intended recipient of this message >> (including >>> attachments), or if you have received this message in error, >>> immediately notify us and delete it and any attachments. If you no >>> longer wish to receive e-mail from Edward Jones, please send this >>> request to messages@edwardjones.com. You must include the e-mail >>> address that you wish not to receive e-mail communications. For >>> important additional information related to this e-mail, visit >>> www.edwardjones.com/US_email_disclosure >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: flow-tools-bounces@list.splintered.net >>> [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis >>> Formoso >>> Sent: Monday, March 08, 2010 9:47 AM >>> To: flow-tools@list.splintered.net >>> Subject: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Hello all, >>> >>> I am trying to setup a NetFlow product on our 6509. We >> have a number >>> of different VLAN's across our network and I think I would want to >>> monitor those VLAN's and that should capture the traffic on the >>> 6509 (correct me if I am wrong.) The way the product is licensed is >>> by >>> source (a source is a router or switch.) When I try to setup netflow >>> each VLAN comes in as a different source and I would like it if I can > >>> use the 6509 as just once source. Here are the commands I am using to > >>> set this up. >>> >>> in configuration mode: >>> >>> ip flow-export source vlan10 >>> ip flow-export version 5 >>> ip flow-export destination 172.20.200.50 >>> >>> Now I configure netflow for switched traffic: >>> mls nde sender version 5 >>> mls flow ip interface-full >>> mls nde interface >>> >>> On the interface (vlan 10): >>> ip route-cache flow >>> >>> After doing that I see that incoming traffic is being >> monitored by >>> NetFlow, however as said that interface (VLAN) is coming in as a >>> source, so if I configure another VLAN I now have 2 sources, but I >>> would like to set this up so the 6509 is just one source, monitoring >>> all the VLAN's. >>> >>> I wanted to know if these commands are correct, if I >> should be >>> monitoring the VLAN's and if anyone knows how to set this up as >>> explained above with the 6509 as one source. >>> >>> Thank you, >>> >>> Travis >>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> _______________________________________________ >>> Flow-tools mailing list >>> flow-tools@splintered.net >>> http://mailman.splintered.net/mailman/listinfo/flow-tools >> >> -- >> ----------------------------------------------------------------- >> | David Mitchell (mitchell@ucar.edu) Network Engineer IV | >> | Tel: (303) 497-1845 National Center for | >> | FAX: (303) 497-1818 Atmospheric Research | >> ----------------------------------------------------------------- >> _______________________________________________ >> Flow-tools mailing list >> flow-tools@splintered.net >> http://mailman.splintered.net/mailman/listinfo/flow-tools >> _______________________________________________ >> Flow-tools mailing list >> flow-tools@splintered.net >> http://mailman.splintered.net/mailman/listinfo/flow-tools > > > -- > ----------------------------------------------------------------- > | David Mitchell (mitchell@ucar.edu) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- From tformoso at Syracuse.com Mon Mar 8 13:47:08 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Mon Mar 8 13:47:12 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <4B9543A3.1060604@ucar.edu> Message-ID: <085C512A01485B478CD34223F939F91901981B33@EXCHANGE.Syracuse.Local> OK I see thanks David. Let me set this up and give it a try, I will let you know how it works out. Thanks to everyone for all the help. -----Original Message----- From: David Mitchell [mailto:mitchell@ucar.edu] Sent: Monday, March 08, 2010 1:36 PM To: Travis Formoso Cc: Drew Weaver; flow-tools@list.splintered.net Subject: Re: [Flow-tools] Setting up NetFlow on 6509 Travis Formoso wrote: > OK I am starting to understand this. The problem is that I did use the > export command for each VLAN so that caused them to come in as > different sources. > > So for each interface (VLANS in this case) I would need to do: > > ip route-cache flow > > And then use the export command once to reach where I am collecting > data. The question I have is when I use this command: > > "ip flow-export source" what is the interface I will use at the end of > that command? Or do I just need to do: It doesn't actually matter much what you use as the source address. It's only significance is really that that's how your receiver is going to organize the data. You don't want to have to change the source address in the future, so pick an interface you don't expect will ever move or go away. That's why most of us use our loopbacks, because they don't tend to change as subnets come and go. But really, in your case, just pick something and don't sweat it too much. -David Mitchell > > ip flow-export destination? > > Thanks > > -----Original Message----- > From: David Mitchell [mailto:mitchell@ucar.edu] > Sent: Monday, March 08, 2010 1:24 PM > To: Travis Formoso > Cc: Drew Weaver; flow-tools@list.splintered.net > Subject: Re: [Flow-tools] Setting up NetFlow on 6509 > > Travis Formoso wrote: >> Drew, >> >> Right (I have to use ip route-cache because the ip flow ingress >> command does not work, might be our version,) however I still would >> need to the export command to let it know where to send the data to. > > The 'ip flow-export' commands are all global and only need to be > specified once no matter how many interfaces you are monitoring. > Netflow export has two main pieces of configuration. The per-interface > configuration which gets data into the flow cache is one piece. It is > repeated multiple times. The other piece is the configuration for > where to send the data from the flow cache. Normally, it is only > specified once. It is possible to have multiple netflow analysis > servers which each get copies of the data, but it doesn't sound like > that's your situation. > > -David Mitchell > >> Once I do the export on the two different vlans (will be more) it >> comes in the netflow program I am using as 2 different sources. >> >> -----Original Message----- >> From: Drew Weaver [mailto:drew.weaver@thenap.com] >> Sent: Monday, March 08, 2010 1:03 PM >> To: Travis Formoso >> Cc: flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> You just add the ip route-cache flow or ip flow ingress on each >> interface you want monitored. >> >> >> >> -----Original Message----- >> From: flow-tools-bounces@list.splintered.net >> [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis >> Formoso >> Sent: Monday, March 08, 2010 1:00 PM >> To: David Mitchell >> Cc: flow-tools@list.splintered.net >> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >> >> David, >> >> If I wanted to add a second VLAN I would do: >> >> Ip flow-export source vlan11 etc.. >> >> Once I do that it adds it as a second 'source.' I want to be able to >> monitor the 6509 with all VLANS and have it read as once source, >> because I am only licensed for 5 sources, however a source is >> considered a router/switch, but when I set this up with the VLAN's as >> above, they come in as separate sources. >> >> Is there another way to do it that I am missing? >> >> Thank you >> >> -----Original Message----- >> From: David Mitchell [mailto:mitchell@ucar.edu] >> Sent: Monday, March 08, 2010 12:55 PM >> To: Travis Formoso >> Cc: flow-tools@list.splintered.net >> Subject: Re: [Flow-tools] Setting up NetFlow on 6509 >> >> Travis, >> >> when you add the second VLAN to monitor, do you add an additional >> source command? >> >>> ip flow-export source vlan10 >> You only need this command once. You also don't need it to be a >> loopback. If you have a loopback, then it's a good choice to use. But >> you don't need to create one just for this. All this command does is >> tell IOS what source address to use in outgoing netflow data packets. >> You could probably get away with not specify it at all, but then >> there > >> is a chance that unrelated configuration changes would affect your >> netflow exports. >> >> -David Mitchell >> >> >> >> Travis Formoso wrote: >>> Greg, >>> >>> We are not running IOS-XR, however this is almost the same and I can >>> set this up. >>> >>> With the loopback0 interface setup what are the commands I need to >>> run, so that I am monitoring this device correctly with netflow? >>> Would >> it be: >>> >>> ip flow-export source loopback0 >>> ip flow-export version 5 >>> ip flow-export destination 172.20.200.50 >>> >>> Now I configure netflow for switched traffic: >>> mls nde sender version 5 >>> mls flow ip interface-full >>> mls nde interface >>> >>> On the interface (loopback0): (Not sure if this is needed for the >>> loopback interface?) ip route-cache flow >>> >>> Thanks for the help. >>> >>> ________________________________ >>> >>> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >>> Sent: Monday, March 08, 2010 11:50 AM >>> To: Travis Formoso; flow-tools@list.splintered.net >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>>> What should the loopback interface look like? >>>> >>> >>> Here's what one of mine looks like, but it requires some config >>> integration with OSPF, assuming you're running OSPF. >>> >>> >>> router#sho run int lo0 >>> Building configuration... >>> >>> Current configuration : 128 bytes >>> ! >>> interface Loopback0 >>> description *** MANAGEMENT & OSPF ID *** ip address 10.130.25.1 >>> 255.255.255.255 ip pim sparse-mode end >>> >>> router# >>> >>> >>> This doc from cisco... >>> http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/conf >>> i g ur ation/guide/hc3loop.html ...may help, but it's for IOS-XR. >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: Travis Formoso [mailto:tformoso@Syracuse.com] >>> Sent: Monday, March 08, 2010 10:30 AM >>> To: Volk,Gregory B; flow-tools@list.splintered.net >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Hey Greg, >>> >>> On the 6509 there is currently no loopback interface so I will >> need >>> to set this up. >>> >>> What should the loopback interface look like? >>> >>> Also once I set it to this loopback I will not need to export to >> the >>> VLAN's as this would monitor all the ports? >>> >>> Thanks >>> >>> ________________________________ >>> >>> From: Volk,Gregory B [mailto:greg.volk@edwardjones.com] >>> Sent: Monday, March 08, 2010 11:19 AM >>> To: Travis Formoso; flow-tools@list.splintered.net >>> Subject: RE: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Have you tried setting the source to a non-vlan (physical or >>> loopback) interface like: >>> >>> ip flow-export source Loopback0 >>> >>> I don't know if that will fix your issue, but I always source my >>> netflow data from a loopback interface that is dedicated for >>> management traffic. >>> >>> >>> >>> >>> >>> If you are not the intended recipient of this message >> (including >>> attachments), or if you have received this message in error, >>> immediately notify us and delete it and any attachments. If you no >>> longer wish to receive e-mail from Edward Jones, please send this >>> request to messages@edwardjones.com. You must include the e-mail >>> address that you wish not to receive e-mail communications. For >>> important additional information related to this e-mail, visit >>> www.edwardjones.com/US_email_disclosure >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: flow-tools-bounces@list.splintered.net >>> [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Travis >>> Formoso >>> Sent: Monday, March 08, 2010 9:47 AM >>> To: flow-tools@list.splintered.net >>> Subject: [Flow-tools] Setting up NetFlow on 6509 >>> >>> >>> Hello all, >>> >>> I am trying to setup a NetFlow product on our 6509. We >> have a number >>> of different VLAN's across our network and I think I would want to >>> monitor those VLAN's and that should capture the traffic on the >>> 6509 (correct me if I am wrong.) The way the product is licensed is >>> by source (a source is a router or switch.) When I try to setup >>> netflow each VLAN comes in as a different source and I would like it >>> if I can > >>> use the 6509 as just once source. Here are the commands I am using >>> to > >>> set this up. >>> >>> in configuration mode: >>> >>> ip flow-export source vlan10 >>> ip flow-export version 5 >>> ip flow-export destination 172.20.200.50 >>> >>> Now I configure netflow for switched traffic: >>> mls nde sender version 5 >>> mls flow ip interface-full >>> mls nde interface >>> >>> On the interface (vlan 10): >>> ip route-cache flow >>> >>> After doing that I see that incoming traffic is being >> monitored by >>> NetFlow, however as said that interface (VLAN) is coming in as a >>> source, so if I configure another VLAN I now have 2 sources, but I >>> would like to set this up so the 6509 is just one source, monitoring >>> all the VLAN's. >>> >>> I wanted to know if these commands are correct, if I >> should be >>> monitoring the VLAN's and if anyone knows how to set this up as >>> explained above with the 6509 as one source. >>> >>> Thank you, >>> >>> Travis >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -- >>> >>> _______________________________________________ >>> Flow-tools mailing list >>> flow-tools@splintered.net >>> http://mailman.splintered.net/mailman/listinfo/flow-tools >> >> -- >> ----------------------------------------------------------------- >> | David Mitchell (mitchell@ucar.edu) Network Engineer IV | >> | Tel: (303) 497-1845 National Center for | >> | FAX: (303) 497-1818 Atmospheric Research | >> ----------------------------------------------------------------- >> _______________________________________________ >> Flow-tools mailing list >> flow-tools@splintered.net >> http://mailman.splintered.net/mailman/listinfo/flow-tools >> _______________________________________________ >> Flow-tools mailing list >> flow-tools@splintered.net >> http://mailman.splintered.net/mailman/listinfo/flow-tools > > > -- > ----------------------------------------------------------------- > | David Mitchell (mitchell@ucar.edu) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- From tformoso at Syracuse.com Tue Mar 9 09:13:41 2010 From: tformoso at Syracuse.com (Travis Formoso) Date: Tue Mar 9 09:13:46 2010 Subject: [Flow-tools] Setting up NetFlow on 6509 In-Reply-To: <1268084116-sup-3636@sfo.thejof.com> Message-ID: <085C512A01485B478CD34223F939F91901981B3F@EXCHANGE.Syracuse.Local> Hey Jon, I did what you said this morning and set this up as follows: mls netflow mls flow ip full mls nde sender version 5 ip flow-export source Vlan20 ip flow-export destination 172.20.200.51 XXXX interface Vlan110 ip route-cache flow ! interface Vlan200 ip route-cache flow When I went to the server that has the software for Flow it has a source of 172.20.142.3 (which I am not sure what that is, but that is just the source so it should be OK.) There is no incoming traffic (is that the way it should be?) And the outgoing traffic is 4235 flows per minute and collecting data which is cool :P So right now I just see outgoing traffic and none incoming, but should I be monitoring both? Also as far as monitoring the VLANS, should I monitor between VLAN14 (firewall) and VLAN200 or keep it between VLAN110 and VLAN200? Thanks everyone appreciate the help, we are getting their. -----Original Message----- From: Jonathan Lassoff [mailto:jof@thejof.com] Sent: Monday, March 08, 2010 4:38 PM To: Travis Formoso Subject: RE: [Flow-tools] Setting up NetFlow on 6509 Excerpts from Travis Formoso's message of Mon Mar 08 12:57:21 -0800 2010: > The address of the analyzer machine is 172.20.200.51 on VLAN 20, so > how would that affect the commands below? ip flow-export source Vlan20 ip flow-export destination 172.20.200.51 XXXX > I tried the ip flow ingress layer2-switched vlan command but it does > not recognize it, could be the ios version. The version and PFC / MSFC versions will matter as well. If you have access, the Cisco docs explain this far more succinctly than I can. --j From drew.weaver at thenap.com Fri Mar 19 11:07:57 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri Mar 19 11:08:03 2010 Subject: [Flow-tools] 1969-12-31 Unixtime 0 CUFlow.pl Message-ID: Hi, drwxr-xr-x 4 root root 4096 Mar 19 09:58 1969-12-31 -rw-r--r-- 1 root root 33331 Mar 19 11:10 overall.html lrwxrwxrwx 1 root root 51 Mar 19 11:10 toptalkers.html -> /var/netflow/scoreboard/1969-12-31/18/18:59:59.html I am finally getting somewhere with my flowscan, flow-tools, CUFlow installation (after a long time trying). I notice that the CUFlow top talkers isn't really working correctly, it seems like some sort of file time issue. Does anyone know how to correct this? -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100319/9729f31a/attachment.htm From ctracy at es.net Tue Mar 23 18:03:34 2010 From: ctracy at es.net (Chris Tracy) Date: Tue Mar 23 18:03:41 2010 Subject: [Flow-tools] flow-xlate known bug Message-ID: The bottom of the flow-xlate manpage states (in the BUGS section): "The scale option can overflow the 32 bit flow counters. This could be solved by detecting this condition and splitting the flow in two." Does anybody on the list know of any patches that implement the proposed solution above? With 1:100 sampling and 60 second active flow timeout, in combination with a 'scale 100' xlate-action, a single flow over 4GB inside the 60 second period causes the counter to overflow (e.g. send ~600Mbps for 60 sec, ~1200Mbps for 30 sec, etc) For example, sending 1200Mbps for 30 seconds will generate > 4GB in a single flow and cause an overflow: % bwctl -c 10.1.1.2 -t 30 -x -u -b 1200M ... [ ID] Interval Transfer Bandwidth [ 9] 0.0-30.0 sec 4899999510 Bytes 1306666275 bits/sec [ 9] Sent 3333333 datagrams At the ingress router: 0323.13:01:26.872 0323.13:01:29.977 171 10.0.0.1 5026 120 10.1.1.2 5026 17 0 312,800 457,939,200 0323.13:01:29.927 0323.13:01:57.163 171 10.0.0.1 5026 120 10.1.1.2 5026 17 0 2,680,500 3,924,252,000 At the egress router: 0323.13:01:27.124 0323.13:01:57.125 122 10.0.0.1 5026 172 10.1.1.2 5026 17 0 2,991,600 84,735,104 At the ingress router, the flow was broken up into 2 flows because the first portion of the flow was exported before the end of the 30 second test. However, we were not so lucky on the egress router. The packet counts are correct (all of the packets in this test were 1470 byte UDP packets), but clearly the bytes counter overflowed. Thanks, -Chris From i at stingr.net Tue Mar 23 18:17:15 2010 From: i at stingr.net (Paul Komkoff) Date: Tue Mar 23 18:17:18 2010 Subject: [Flow-tools] flow-xlate known bug In-Reply-To: References: Message-ID: <715ea5c11003231517l4a902207neb5fd8fb72a53e0a@mail.gmail.com> On Tue, Mar 23, 2010 at 10:03 PM, Chris Tracy wrote: > Does anybody on the list know of any patches that implement the proposed solution above? If someone knows of those, I will happily include them into flow-tools.googlecode.com Otherwise I'm going to try fixing it myself. -- This message represents the official view of the voices in my head From Ken.Hagen at seattle.gov Mon Mar 29 12:14:55 2010 From: Ken.Hagen at seattle.gov (Hagen, Ken) Date: Mon Mar 29 12:15:07 2010 Subject: [Flow-tools] unsubscribe Message-ID: Ken Hagen CCNP Department of Information Technology City of Seattle W: (206) 386-1503 C: (206) 255-8391 E: ken.hagen@seattle.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100329/82f2f433/attachment.htm