Hello,
Regarding the Netflow version we are using, I was told that the version of
IOS we're running didn't support v9 (which surprises me as I thought it was
pretty current) so we tried it with v7 at first. Here's a more complete list
of the commands that were entered to activate Netflows:
! global command By default mls nde sender send version7 packet
mls netflow interface
mls flow ip interface-full
mls nde sender
ip flow-export source Loopback0
ip flow-export destination 10.45.7.36 2055
! interface specific command
ip flow ingress
A "show version" returns:
Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version
12.2(33)SXI2, RELEASE SOFTWARE (fc3)
After Gary's comment:
> Stick with v5 unless you need something v9 provides (and ntop consumes).
I asked to change the version to v5, deleted the old Netflow-device.2
interface, did a "rm -rf rrd/interfaces/NetFlow-device.2" once again,
recreated the Netflow interface with the same parameters as before except
one: I left the "enable session handling" to "no" instead of setting to
"yes" as before, and restarted ntop.
Things have improved: I don't have thousands of lines in the "Netflow =>
Statistics" anymore after running only 10-15 minutes, I have only about 50,
but the number is slowly increasing and I am wondering if the same thing
(more than 32000 files in the rrd directory) will not happen after running
for many hours or days.
In "Netflow=>Statistics", I now have 3 different tables with 3 "devices":
======================================================================
Device 1 - NetFlow-device.2
{ 12 lines that all have "10.1.254.254:53853" in the "NetFlow Device"
column, numbers between 42 and 60 in the " Interface Name/Id" column and
varying numbers of packets and bytes, followed by a summary stating 99
packets containing 2871 flows received and processed }
Device 2 - NetFlow-device.2
{ 52 lines that all have "10.1.254.254:53853" in the "NetFlow Device"
column, numbers between 0 and 62636 in the " Interface Name/Id" column and
varying numbers of packets and bytes, followed by a summary stating 21,022
packets containing 597,893 flows received with 18,996 "lost flows" }
Device 3 - NetFlow-device.2
{ 57 lines that all have "10.1.254.254:53853" in the "NetFlow Device"
column, numbers between 0 and 13395 in the " Interface Name/Id" column and
varying numbers of packets and bytes, followed by a summary stating 18,784
packets containing 541,546 flows received }
======================================================================
I suspect that a new "Device" is created every time I enable Netflow or
create a new Netflow device (I deleted and recreated the Netflow interface a
few times and even disabled the Netflow plugin completely once).
On successive reloads of the page, only the third table changes, I guess the
two other ones contain historical data and only the third one is current.
Is this normal? Even though the problem is not as severe as before, I don't
think all these "Interface IDs" should be created with only one Netflow
session feeded into ntop.
Last minute addition: in the 15-20 minutes it took me to compose this
e-mail, the number of files in the "rrd/interfaces/NetFlow-device.2/NetFlow"
directory increased from 35 to 63. Each file corresponds to a "Interface
Name/ID". We're far from 32000 as before, but the number is slowly
increasing all the time.
Thanks a lot for your help!
Marc.
On 10-07-14 19:09, Gary Gatten à [email protected] wrote :
> I don't know what "mls netflow interface" is or does. Perhaps my IOS version
> does something similar with different syntax.
>
> Nonetheless... I don't see a flow version specified. Stick with v5 unless
> you need something v9 provides (and ntop consumes).
>
> If you want to post a capture of a flow record I'll compare to mine - or you
> can compare to the docs on v5 records. Also, you may want to delete all
> netflow confs in ntop and start over. Other than that I'm running out ideas.
> It pretty much just works IF the flow exporters are configured correctly for
> your environment.
>
> ----- Original Message -----
> From: [email protected] <[email protected]>
> To: [email protected] <[email protected]>
> Sent: Wed Jul 14 15:17:36 2010
Subject: Re: [Ntop] Ntop 3.4-pre3 and Netflow
> problem: thousands of "interfaces" ?
>
> Hello,
>
> On our Catalyst 6500 the only options that are available are:
>
> 6500A(config)#mls flow ip ?
> interface-destination interface-destination flow keyword
> interface-destination-source interface-destination-source flow keyword
> interface-full interface-full flow keyword
> interface-source interface-source only flow keyword
>
> So it seems that "mls flow ip full" is not available.
>
> Here is the netflow config that was provided to me by my colleague from the
> networking team:
>
> mls netflow interface
> mls flow ip interface-full
>
> Regards,
> Marc.
>
>
> On 10-07-13 14:54, Gary Gatten at [email protected] wrote :
>
>> In my CAT I have "mls flow ip full". LanCope recommends: "mls flow ip
>> interface-full"
>>
>> I *think* I started with the "interface-full" and switched back to "full" for
>> some reason - probably testing that I didn't follow up on.
>>
>> FYI:
>>
http://netflowninjas.lancope.com/blog/2010/05/always-use-mls-flow-ip-interfac>>
e
>> full-when-enabling-netflow-on-the-catalyst-6500.html
>
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
<font size="1">
<div style='border:none;border-bottom:double windowtext
> 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be
> reviewed by only the intended recipient
and may contain information that is
> privileged and/or confidential.
If you are not the intended recipient, you
> are hereby notified that
any review, use, dissemination, disclosure or
> copying of this email
and its attachments, if any, is strictly prohibited.
> If you have
received this email in error, please immediately notify the
> sender by
return email and delete this email from your
> system."
</font>
_______________________________________________
Ntop mailing
> list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/nt
> op
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
