NetFlow for Catalyst 4500
ccie-rs July 20th, 2009
I had the pleasure of integrating brand new 4500s into production Friday night to alleviate performance bottlenecks on our 3845s. For quite some time, we’ve been pushing the boundaries of UDP file transfers over our existing routers utilizing a product called Aspera. While you may think that UDP is unreliable and connectionless, the folks at Asperasoft have devised a way to conduct transfers reliably. There are a few kinks with the software, but the results are pretty impressive. Just imagine transferring 1TB of data over a 1Gb connection from LA to NY in less than a day. To increase the routing threshold, we had to migrate off the 3845s and introduce the 4506-E switches. The transition went very smoothly and was completed within the maintenance window, which is a rare feat at times.
Once all the hardware was in place I cleaned up our monitoring devices and alerts with new interface information off the switches. I quickly activated NetFlow and didn’t think anything of it at the time. On Sunday, I had some time to VPN in and check on the performance of the new switches. I found out that our ManageEngine software only detected 1 interface to monitor. That wasn’t going to do me any good, so I decided to do some research. I checked the config first to make sure I entered the commands correctly:
CRS01#sh run | i flow
ip flow-cache timeout active 1
ip flow-export source Vlan119
ip flow-export version 5
ip flow-export destination 172.16.119.194 9996
ip flow-top-talkers
top 25
sort-by bytes
ip route-cache flow
Looks correct so far. According to Cisco’s Catalyst 4500 Series Switch Software Configuration Guide, 12.2(50)SG documentation, you should verify that the NetFlow Services daughter card (WS-F4531) is working and available:
CRS01#sh module all
Chassis Type : WS-C4506-EPower consumed by backplane : 0 Watts
Mod Ports Card Type Model Serial No.
—+—–+————————————–+——————+———–
1 6 Sup V-10GE 10GE (X2), 1000BaseX (SFP) WS-X4516-10GE XXXXXXXXXXX
2 6 SFP, 10/100/1000BaseT (RJ45)V, Cisco/I WS-X4506-GB-T XXXXXXXXXXX
3 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V XXXXXXXXXXXM MAC addresses Hw Fw Sw Status
–+——————————–+—+————+—————-+———
1 0024.1423.78c0 to 0024.1423.78c5 5.1 12.2(31r)SGA 12.2(50)SG1 Ok
2 001b.5481.a2dc to 001b.5481.a2e1 1.4 Ok
3 0021.a0de.dfc0 to 0021.a0de.dfef 4.1 Ok
This next section I’m copying from the documentation was missing completely:
Mod Submodule Model Serial No. Hw Status
—-+———————–+—————–+————+—-+———
1 Netflow Services Card WS-F4531 JAB062209CG 0.2 Ok
2 Netflow Services Card WS-F4531 JAB062209AG 0.2 Ok
After reading around in a few forums, I found that the NetFlow Services Card submodule is built into my Supervisor Engine V-10GE and may not appear when running the command. I continued to read through the documentation and found that to activate NetFlow for the 4500 I should run the global command:
ip flow ingress
The moment you enter this command, additional command options start to appear in the IOS.
ip flow ingress infer-fields
ip flow ingress layer2-switched
Adding these additional commands still didn’t reveal all the interfaces I wanted to monitor within NetFlow Analyzer so I had to conduct more research. I finally stumbled upon an additional command:
ip route-cache flow infer-fields
The infer-fields option doesn’t appear when you use the question mark, but the IOS accepts the command. As soon as I hit enter, my analyzer paged refreshed and all the interfaces appeared. I wanted to inquire more about the option and Googled ‘ip route-cache flow infer-fields’ and found ManageEngines supporting documentation for Configuring NDE.
If I just continued reading Cisco’s documentation, I would have found the command in the example section.
