I had some trouble today at office with monitoring flows going through a MLS switch.
The Nfsen collector was working well for our routers, but I came to realize there were something definitely wrong with the traffic going through a Cisco 6500 switch.
The traffic reported was way below the real one.
After some research, what I suspected was confirmed by this documentation from Cisco.
Some more steps are required to make Netflow report flow processed by the switching module.
Otherwise, as only the first packet is routed and the following ones are switched by CEF, Netflow will only see the first packet at layer 3.
That explains why the reported traffic was ridicoulously small.
So, where on routers the following commands are enough :
(config)# ip cef (config)# ip flow-export version 5 (config)# ip flow-export destination 192.168.1.1 1234 (config)# interface fa 1 (config-if)# ip route-cache flow
On MLS switches (like 6500 or 7200), add :
(config)# mls netflow (config)# mls nde sender (config)# mls aging long 64 (config)# mls flow ip full
The commands are described there. Unfortunately, as often with Cisco, they may vary depending on the IOS version your are running.
Related posts:
Hello,
For NetFlow or sFlow analysis, please consider Scrutinizer:
http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php
thanks,
jake
So far, I am using Nfsen : http://nfsen.sourceforge.net/
It is free software and does the job very well.
I already found your tool a while ago but I don’t need it so far.
Plus, honnestly, it is rather off-topic and I was going to spam your comment.
For now I am in good mood but it may change soon.