[Nfdump-discuss] RE: [Nfsen-discuss] nfsen not showing appropriate traffic levels (fwd) (fwd)
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
[Nfdump-discuss] RE: [Nfsen-discuss] nfsen not showing appropriate traffic levels (fwd) (fwd)
|
From: Peter H. <ha...@sw...> - 2006-02-14 13:46:46
|
-----BEGIN PGP SIGNED MESSAGE-----
Just to let the list know about some Cisco 7609 issues, raised by
Berant.
- Peter
- ------------ Forwarded Message ------------
Date: February 14, 2006 8:25:03 -0500
From: "Lemmenes, Berant" <ble...@us...>
To: Simon Leinen <si...@li...>
Cc: Peter Haag <ha...@sw...>
Subject: RE: [Nfsen-discuss] nfsen not showing appropriate traffic levels (fwd)
Simon/Peter,
Let me say thank you both for the great response!
Our Cisco ASE hit me with the same clue stick about enabling it on the
PFC, as we were only seeing traffic that had to get kicked to the Route
Processor.
Thanks again for the quick and helpful response!
I'll give your timeouts a try, thanks for the tips.
- -Berant
- -----Original Message-----
From: Simon Leinen [mailto:si...@li...]
Sent: Tuesday, February 14, 2006 4:54 AM
To: Lemmenes, Berant
Cc: Peter Haag
Subject: Re: [Nfsen-discuss] nfsen not showing appropriate traffic
levels (fwd)
Berant,
on the 7609, you must make sure to enable "NDE" in addition to normal
Netflow export. NDE (Netflow Data Export) is the hardware variant of
Netflow export on the Catalyst 6500/7600 OSR. Here's a configuration
example:
mls flow ip interface-full
mls flow ipv6 interface-full
mls nde sender version 5
(Note that IPv6 NDE isn't implemented yet, but it can still be useful
to be able to look at the "live" flows with "show mls netflow ipv6")
On a busy router, consider aggressively timing out small flows. This
is what we use:
mls aging fast time 4 threshold 2
mls aging normal 32
mls aging long 900
With this configuration (and assuming you didn't have it already), you
should see much more flows from your 7609. You still want the
"traditional" Netflow configuration, including "ip flow ingress" or
"ip route-cache flow" on every interface, so that you see
"software-switched" flows such as those that go to the router itself.
I assume this is the only traffic that you are seeing right now.
Regards,
- --
Simon.
- ---------- End Forwarded Message ----------
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iQCVAwUBQ/HfOP5AbZRALNr/AQF7wgQAikHSskSifwit5XXWO0pjVQCEQh3Pblgu
jbeyeTReKqEXnESTngYVuI+2cSJ4hzqttNW8eL47GawrAmXvtRhE8VVglBrYymFS
FOuN209VxXWPTb+YNe8oGLlMjsRLsCoynG6cU6+Ep6Fz3oIbESnHi3q1eqEEhQij
kuiWRBi2VLM=
=ffpE
-----END PGP SIGNATURE-----
|
