In my 6500 template, I enable NetFlow collection, even if I don't export it to an external management station. It has come in handy countless times when troubleshooting connectivity complaints between clients and servers. It's also handy for determining if your QoS marking policies are working by looking for certain IPs with various DSCP values. I recently discovered some bulk data replication filling up the class-default queues (dscp 0) when it should have been marked af11 (dscp 10). It was pretty obvious when I saw one host transmitting over 1TB of data in a few hours.
As I was crawling though the NetFlow data I was left with a nagging question: exactly when does the switch export the flow? There are 3 triggering events:
1. TCP flags indicate that a session has ended
2. An inactive flow has reached the timeout
ip flow-cache timeout inactive [seconds]
Default = 15 seconds
3. An active flow has reached the timeout
ip flow-cache timeout active [minutes]
Default = 30 minutes
If you can't find an active flow in your management station's report, perhaps you need to turn down the active timeout.
For more details, here is a CCO doc:
Introduction to Cisco IOS NetFlow - A Technical Overview
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html
No comments:
Post a Comment