This document discusses NetFlow accounting on a Catalyst 6500 Supervisor1 (SUP1).
Readers of this document should have knowledge of this topics:
The information in this document is based on these software and hardware versions:
Note: This document does not cover a Catalyst 6500 switch with SUP2/PFC2, because it runs Cisco Express Forwarding (CEF) and the behavior is slightly different.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Supervisor Engine 1, PFC, and Multilayer Switch Feature Card (MSFC) or MSFC2 provide Layer 3 (L3) switching with MLS. L3 switching with MLS identifies flows on the switch after the first packet has been routed by the MSFC and transfers the process of forwarding the remaining traffic in the flow to the switch, which reduces the load on the MSFC.
MLS also provides traffic statistics as part of its switching function. These statistics are used for identifying traffic characteristics for administration, planning, and troubleshooting. MLS uses NetFlow Data Export (NDE) to export the flow statistics.
In the above example, the following scenario occurs with the blue arrow:
Host1 in VLAN1 initiates a data transfer to host14 in VLAN14.
Host1 sends the first packet to the MSFC (the candidate packet in the MLS terminology).
The MSFC rewrites both MAC addresses in the Layer 2 (L2) header.
The MSFS reduces the TTL by one in the packet header.
The MSFS routes the packets in the correct VLAN14.
The packet is sent back to SUP1.
An MLS entry for this L3 flow is created in the MLS cache on the SUP1.
All subsequent packets from the same flow are switched without reaching the MSFC (see the red arrow).
NetFlow (network flow) is an input side-measurement technology that allows for capturing the data required for network planning, monitoring, and accounting applications. Cisco IP accounting support provides basic IP accounting functions. By enabling IP accounting, users can see the number of bytes and packets switched through the Cisco IOS® Software on a source and destination IP address basis.
In practical terms, if five pings are sent from host1 in VLAN1 to host14 in VLAN14, only the first one is routed through the MSFC. The four remaining are switched on the Supervisor. The five pings are considered a single flow because the characteristics (such as source address, destination address, and source port) of the packets does not change.
In a more general statement, only the first packet of a flow reachs the MSFC, while all subsequent packet of the same flow are switched locally on the Supervisor.
This section describes the following different designs from a NetFlow accounting point of view:
If you disable MLS on the switch, all routed packets go through the MSFC. Therefore, all packets of all flows are accounted correctly on the MSFC.
However, enabling MLS on the switch increases performance. If you enable NetFlow on the MSFC only (exporting through version 5), only the first packet of every flow is accounted. This implies that the accounting information received from the flow record on the Cisco FlowCollector is almost useless.
This design has MLS enabled on the switch.
If you enabled the export of the NetFlow data on the Supervisor only (exporting through version 7), you miss accounting of the first packet of every flow because the first packet is routed by the MSFC.
A better design is to export the flow records from the Supervisor (through version 7) and from the MSFC (through version 5).
The best design is to export the flow records in the VLAN of the Supervisor management IP address (sc0). If you export to another VLAN, the exported data is accounted.
For example, with an export in VLAN14, the exported flow records have to be routed through the MSFC, which creates an MLS entry in the MLS cache on the Supervisor. This implies that there is a flow record created for the exported NetFlow packet, first on the MSFC and second on the Supervisor.
You can avoid this behavior by exporting the flow records in VLAN1, if the sc0 belongs to VLAN1.