Archive

标签为 ‘Netflow’的文章

ASR9k Netflow and QOS order in the inbound direction

My customer match a issue that business traffics take IP6,7 flag, then the traffics auto mapping to EXP6,7 that cause control police congestion, and ISIS flapping due to BFD flap. So they want to check which traffics have incorrect flag by netflow, so need to check ording for netflow and QOS at input direction. I check some documents, nobody notice that, so the article will show test info, you can check if you need. Finaly test result: At ingress direction, packets will be cached first by netflow, then do other action in QOS.

Btw, due to auto mapping from TOS to EXP by range, e.g: TOS 192-223 will map to EXP6; TOS 223-255 will map to EXP7. So if we want to check the issue by netflow, suggest filter EXP data, as in my follow test, check by follow command:

RP/0/RSP1/CPU0:ASR9006-G#sh flow monitor test-mpls cache brief location 0/0/cpu0 | i 7-0
Fri Jan  8 04:57:39.604 UTC
      LDP 44.44.44.44/32        30000-7-0        40034-7-1           -                -                -                -          Te0/0/0/2       Te0/0/0/1       Fwd                  3888         36           Egr 12.1.1.1         55.55.55.55      0xff     icmp     0          2048

完整阅读

Flexible NetFlow configuration example

flow record test
 match ipv4 dscp
 match ipv4 source address
 match ipv4 destination address
 collect counter bytes
 collect counter packets
 collect policy qos classification hierarchy   
>>>for flex netflow qos feature need config "platform qos performance-monitor" and reload

完整阅读

Netflow V9

最近研究了一下Netflow,发现这东西还是很不错的。建议如果流量异常有问题或负载分担问题,直接让客户配上monitor,不用配置exporter,直接看cache里的内容就可以了。Netflow里面有些迷惑的地方,这回整个测试了下,发现这东西还是比较有意思的。

2013-10-14: ASR9K NetFlow White Paper
https://supportforums.cisco.com/docs/DOC-36434

1. Template:

在v9的版本中,引进了template这个概念,这个东西感觉像个索引,告诉网管netflow的架构,默认export时间为1800s,也就是30mi,在抓netflow报文时,如果没有抓下template,那么你会发现通过wireshark无法解开cflow的报文,你也就没发分析了。另外template分两种,一种是正常的数据flow,另一种是option的flow,这就带来了强大的扩展。在下面的信息里,我把template的timeout改成了10s,cache timeout没改,所以你发现短时间内没有抓到任何flow流量:

完整阅读