«

I have Netflow enabled on my Cat 6509. I am using a 3rd party Netflow
collector. I am exporting the flows from my VLAN's. When I examine
the traffic in my collector, the flows appear to be twice what they
are in reality. For example, if I copy a 100 MB file from one server
to another over Windows file sharing, the flow colllector reports that
the transfer was 200 MB. The collector has the ability to display
incoming and outgoing traffic separately, so I don't think this is an
issue of duplex traffic being displayed.

I called Cisco, and the engineer said this is expected when exporting
flows from a VLAN -- that the flows will be exported as the traffic
enters then leaves the VLAN. He said that this known behavior, and
there is no way around it using Layer2. He said it is up to the
Netflow collector to handle the de-duplication.

When I call the Netflow collector vendor, they say there is a
configuration issue with the 6509.

IOS Native mode -- 12.2(1SXF13

Here's my config entries

ip flow ingress layer2-switched vlan 1,11-13,110
mls aging fast time 8 threshold 127
mls aging normal 32
mls flow ip full
mls flow ipx destination
mls nde sender version 5
no mls acl tcam share-global

interface Vlan11
no ip address
ip route-cache flow
!
interface Vlan12
no ip address
ip route-cache flow
!
interface Vlan13
no ip address
ip route-cache flow

ip flow-export destination x.x.x.x 2055

I wonder if anyone lese out there has experienced the same problem.
If so, were you able to find a work around?

Any help is appreciated.

On May 16, 9:10*am, sillz <beth.sto...@gmail.com> wrote:
> I have Netflow enabled on my Cat 6509. *I am using a 3rd party Netflow
> collector. *I am exporting the flows from my VLAN's. *When I examine
> the traffic in my collector, the flows appear to be twice what they
> are in reality. *For example, if I copy a 100 MB file from one server
> to another over Windows file sharing, the flow colllector reports that
> the transfer was 200 MB. *The collector has the ability to display
> incoming and outgoing traffic separately, so I don't think this is an
> issue of duplex traffic being displayed.
>
> I called Cisco, and the engineer said this is expected when exporting
> flows from a VLAN -- that the flows will be exported as the traffic
> enters then leaves the VLAN. *He said that this known behavior, and
> there is no way around it using Layer2. *He said it is up to the
> Netflow collector to handle the de-duplication.
>
> When I call the Netflow collector vendor, they say there is a
> configuration issue with the 6509.
>
> IOS Native mode -- 12.2(1SXF13
>
> Here's my config entries
>
> ip flow ingress layer2-switched vlan 1,11-13,110
> mls aging fast time 8 threshold 127
> mls aging normal 32
> mls flow ip full
> mls flow ipx destination
> mls nde sender version 5
> no mls acl tcam share-global
>
> interface Vlan11
> *no ip address
> *ip route-cache flow
> !
> interface Vlan12
> *no ip address
> *ip route-cache flow
> !
> interface Vlan13
> *no ip address
> *ip route-cache flow
>
> ip flow-export destination x.x.x.x 2055
>
> I wonder if anyone lese out there has experienced the same problem.
> If so, were you able to find a work around?
>
> Any help is appreciated.

is this the case for both TCP and UDP traffic? what are the results of
doing an IPERF test?

Flamer.

On May 17, 8:15*pm, "flamer die.s...@hotmail.com"
<die.s...@hotmail.com> wrote:
> On May 16, 9:10*am, sillz <beth.sto...@gmail.com> wrote:
>
>
>
>
>
> > I have Netflow enabled on my Cat 6509. *I am using a 3rd party Netflow
> > collector. *I am exporting the flows from my VLAN's. *When I examine
> > the traffic in my collector, the flows appear to be twice what they
> > are in reality. *For example, if I copy a 100 MB file from one server
> > to another over Windows file sharing, the flow colllector reports that
> > the transfer was 200 MB. *The collector has the ability to display
> > incoming and outgoing traffic separately, so I don't think this is an
> > issue of duplex traffic being displayed.
>
> > I called Cisco, and the engineer said this is expected when exporting
> > flows from a VLAN -- that the flows will be exported as the traffic
> > enters then leaves the VLAN. *He said that this known behavior, and
> > there is no way around it using Layer2. *He said it is up to the
> > Netflow collector to handle the de-duplication.
>
> > When I call the Netflow collector vendor, they say there is a
> > configuration issue with the 6509.
>
> > IOS Native mode -- 12.2(1SXF13
>
> > Here's my config entries
>
> > ip flow ingress layer2-switched vlan 1,11-13,110
> > mls aging fast time 8 threshold 127
> > mls aging normal 32
> > mls flow ip full
> > mls flow ipx destination
> > mls nde sender version 5
> > no mls acl tcam share-global
>
> > interface Vlan11
> > *no ip address
> > *ip route-cache flow
> > !
> > interface Vlan12
> > *no ip address
> > *ip route-cache flow
> > !
> > interface Vlan13
> > *no ip address
> > *ip route-cache flow
>
> > ip flow-export destination x.x.x.x 2055
>
> > I wonder if anyone lese out there has experienced the same problem.
> > If so, were you able to find a work around?
>
> > Any help is appreciated.
>
> is this the case for both TCP and UDP traffic? what are the results of
> doing an IPERF test?
>
> Flamer.- Hide quoted text -
>
> - Show quoted text -

If I do an iperf test using TCP, the total amount trasnferred is 100
MBytes. My collector shows 200 MBytes. Data rate in iperf is @ 95
mbits per sec. My collector shows almost 200 mbits per sec.

If I do the same test with iperf using UDP, the total amount
tranferred is 1.25 MBytes. My collector shows @ 2.5 MBytes. Data
rate in iperf is @ 1 mbit per sec. It's hard to narrow this down in
my collector because of other traffic obscurring my test.

It looks like my collector is registering 2X the traffic whether it is
UDP or TCP.