Netflow - Duplicate Packets or Flows

Discussion in 'Cisco' started by sillz, May 15, 2009.

  1. sillz

    sillz Guest

    I have Netflow enabled on my Cat 6509. I am using a 3rd party Netflow
    collector. I am exporting the flows from my VLAN's. When I examine
    the traffic in my collector, the flows appear to be twice what they
    are in reality. For example, if I copy a 100 MB file from one server
    to another over Windows file sharing, the flow colllector reports that
    the transfer was 200 MB. The collector has the ability to display
    incoming and outgoing traffic separately, so I don't think this is an
    issue of duplex traffic being displayed.

    I called Cisco, and the engineer said this is expected when exporting
    flows from a VLAN -- that the flows will be exported as the traffic
    enters then leaves the VLAN. He said that this known behavior, and
    there is no way around it using Layer2. He said it is up to the
    Netflow collector to handle the de-duplication.

    When I call the Netflow collector vendor, they say there is a
    configuration issue with the 6509.

    IOS Native mode -- 12.2(18)SXF13

    Here's my config entries

    ip flow ingress layer2-switched vlan 1,11-13,110
    mls aging fast time 8 threshold 127
    mls aging normal 32
    mls flow ip full
    mls flow ipx destination
    mls nde sender version 5
    no mls acl tcam share-global

    interface Vlan11
    no ip address
    ip route-cache flow
    !
    interface Vlan12
    no ip address
    ip route-cache flow
    !
    interface Vlan13
    no ip address
    ip route-cache flow

    ip flow-export destination x.x.x.x 2055

    I wonder if anyone lese out there has experienced the same problem.
    If so, were you able to find a work around?

    Any help is appreciated.
    sillz, May 15, 2009
    #1
    1. Advertising

  2. sillz

    flamer Guest

    On May 16, 9:10 am, sillz <> wrote:
    > I have Netflow enabled on my Cat 6509.  I am using a 3rd party Netflow
    > collector.  I am exporting the flows from my VLAN's.  When I examine
    > the traffic in my collector, the flows appear to be twice what they
    > are in reality.  For example, if I copy a 100 MB file from one server
    > to another over Windows file sharing, the flow colllector reports that
    > the transfer was 200 MB.  The collector has the ability to display
    > incoming and outgoing traffic separately, so I don't think this is an
    > issue of duplex traffic being displayed.
    >
    > I called Cisco, and the engineer said this is expected when exporting
    > flows from a VLAN -- that the flows will be exported as the traffic
    > enters then leaves the VLAN.  He said that this known behavior, and
    > there is no way around it using Layer2.  He said it is up to the
    > Netflow collector to handle the de-duplication.
    >
    > When I call the Netflow collector vendor, they say there is a
    > configuration issue with the 6509.
    >
    > IOS Native mode -- 12.2(18)SXF13
    >
    > Here's my config entries
    >
    > ip flow ingress layer2-switched vlan 1,11-13,110
    > mls aging fast time 8 threshold 127
    > mls aging normal 32
    > mls flow ip full
    > mls flow ipx destination
    > mls nde sender version 5
    > no mls acl tcam share-global
    >
    > interface Vlan11
    >  no ip address
    >  ip route-cache flow
    > !
    > interface Vlan12
    >  no ip address
    >  ip route-cache flow
    > !
    > interface Vlan13
    >  no ip address
    >  ip route-cache flow
    >
    > ip flow-export destination x.x.x.x 2055
    >
    > I wonder if anyone lese out there has experienced the same problem.
    > If so, were you able to find a work around?
    >
    > Any help is appreciated.


    is this the case for both TCP and UDP traffic? what are the results of
    doing an IPERF test?

    Flamer.
    flamer , May 18, 2009
    #2
    1. Advertising

  3. sillz

    sillz Guest

    On May 17, 8:15 pm, "flamer "
    <> wrote:
    > On May 16, 9:10 am, sillz <> wrote:
    >
    >
    >
    >
    >
    > > I have Netflow enabled on my Cat 6509.  I am using a 3rd party Netflow
    > > collector.  I am exporting the flows from my VLAN's.  When I examine
    > > the traffic in my collector, the flows appear to be twice what they
    > > are in reality.  For example, if I copy a 100 MB file from one server
    > > to another over Windows file sharing, the flow colllector reports that
    > > the transfer was 200 MB.  The collector has the ability to display
    > > incoming and outgoing traffic separately, so I don't think this is an
    > > issue of duplex traffic being displayed.

    >
    > > I called Cisco, and the engineer said this is expected when exporting
    > > flows from a VLAN -- that the flows will be exported as the traffic
    > > enters then leaves the VLAN.  He said that this known behavior, and
    > > there is no way around it using Layer2.  He said it is up to the
    > > Netflow collector to handle the de-duplication.

    >
    > > When I call the Netflow collector vendor, they say there is a
    > > configuration issue with the 6509.

    >
    > > IOS Native mode -- 12.2(18)SXF13

    >
    > > Here's my config entries

    >
    > > ip flow ingress layer2-switched vlan 1,11-13,110
    > > mls aging fast time 8 threshold 127
    > > mls aging normal 32
    > > mls flow ip full
    > > mls flow ipx destination
    > > mls nde sender version 5
    > > no mls acl tcam share-global

    >
    > > interface Vlan11
    > >  no ip address
    > >  ip route-cache flow
    > > !
    > > interface Vlan12
    > >  no ip address
    > >  ip route-cache flow
    > > !
    > > interface Vlan13
    > >  no ip address
    > >  ip route-cache flow

    >
    > > ip flow-export destination x.x.x.x 2055

    >
    > > I wonder if anyone lese out there has experienced the same problem.
    > > If so, were you able to find a work around?

    >
    > > Any help is appreciated.

    >
    > is this the case for both TCP and UDP traffic? what are the results of
    > doing an IPERF test?
    >
    > Flamer.- Hide quoted text -
    >
    > - Show quoted text -


    If I do an iperf test using TCP, the total amount trasnferred is 100
    MBytes. My collector shows 200 MBytes. Data rate in iperf is @ 95
    mbits per sec. My collector shows almost 200 mbits per sec.

    If I do the same test with iperf using UDP, the total amount
    tranferred is 1.25 MBytes. My collector shows @ 2.5 MBytes. Data
    rate in iperf is @ 1 mbit per sec. It's hard to narrow this down in
    my collector because of other traffic obscurring my test.

    It looks like my collector is registering 2X the traffic whether it is
    UDP or TCP.
    sillz, May 21, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. caroline brunel
    Replies:
    0
    Views:
    2,399
    caroline brunel
    Dec 9, 2004
  2. Replies:
    0
    Views:
    927
  3. Tilman Schmidt

    ISAKMP duplicate packets

    Tilman Schmidt, Aug 28, 2007, in forum: Cisco
    Replies:
    0
    Views:
    1,665
    Tilman Schmidt
    Aug 28, 2007
  4. Replies:
    0
    Views:
    503
  5. Re: and so the merda flows!

    , Nov 28, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    470
Loading...

Share This Page