Board index cisco

Netflow - Duplicate Packets or Flows

Netflow - Duplicate Packets or Flows

Post by sill » Sun, 17 May 2009 06:10:00


I have Netflow enabled on my Cat 6509. I am using a 3rd party Netflow
collector. I am exporting the flows from my VLAN's. When I examine
the traffic in my collector, the flows appear to be twice what they
are in reality. For example, if I copy a 100 MB file from one server
to another over Windows file sharing, the flow colllector reports that
the transfer was 200 MB. The collector has the ability to display
incoming and outgoing traffic separately, so I don't think this is an
issue of duplex traffic being displayed.

I called Cisco, and the engineer said this is expected when exporting
flows from a VLAN -- that the flows will be exported as the traffic
enters then leaves the VLAN. He said that this known behavior, and
there is no way around it using Layer2. He said it is up to the
Netflow collector to handle the de-duplication.

When I call the Netflow collector vendor, they say there is a
configuration issue with the 6509.

IOS Native mode -- 12.2(18)SXF13

Here's my config entries

ip flow ingress layer2-switched vlan 1,11-13,110
mls aging fast time 8 threshold 127
mls aging normal 32
mls flow ip full
mls flow ipx destination
mls nde sender version 5
no mls acl tcam share-global

interface Vlan11
no ip address
ip route-cache flow
!
interface Vlan12
no ip address
ip route-cache flow
!
interface Vlan13
no ip address
ip route-cache flow

ip flow-export destination x.x.x.x 2055

I wonder if anyone lese out there has experienced the same problem.
If so, were you able to find a work around?

Any help is appreciated.
 
 
 
Top

Netflow - Duplicate Packets or Flows

Post by flamer die » Tue, 19 May 2009 12:15:08


is this the case for both TCP and UDP traffic? what are the results of
doing an IPERF test?

Flamer.

 
 
 
Top

Netflow - Duplicate Packets or Flows

Post by sill » Sat, 23 May 2009 06:09:13

On May 17, 8:15m, "flamer XXXX@XXXXX.COM "



If I do an iperf test using TCP, the total amount trasnferred is 100
MBytes. My collector shows 200 MBytes. Data rate in iperf is @ 95
mbits per sec. My collector shows almost 200 mbits per sec.

If I do the same test with iperf using UDP, the total amount
tranferred is 1.25 MBytes. My collector shows @ 2.5 MBytes. Data
rate in iperf is @ 1 mbit per sec. It's hard to narrow this down in
my collector because of other traffic obscurring my test.

It looks like my collector is registering 2X the traffic whether it is
UDP or TCP.
 
 
 
Top

1. FreeBSD Firewall Questions: (Regular) Packet Filtering vs. Stateful Packet Filtering vs. Dynamic Proxy Packet Filtering

2. Need help in developing a Tk GUI to represent packet flow in a network

3. XP/03 On/Off LAN NIC IPv6 Option cause ISATAP packet flow slow

4. How Transport Layer Packets Flow To IP Layer in Linux ?

5. How to see the packet flowing to/from NIC using PassThru?

6. Need help in developing a Tk GUI to represent packet flow ina network

7. Vista On/Off LAN NIC IPv6 Option cause ISATAP packet flow interrup

8. Data packet flowing through SBS/Exchange

9. Duplicate transactions in Cash Flow

10. BUGCODE_NDIS_DRIVER 7C, Duplicate packet descriptor on Vista RTM 32 bit

11. BUGCODE_NDIS_DRIVER 7C, Duplicate packet descriptor on Vista RTM 32 bit

12. duplicate outgoing packet using iptables

13. Duplicate IP packets generated

14. using Kerberos to detect duplicate packets?

All times are UTC
Board index