Super-Networking Blog

I have been working on getting netflow working for all traffic going through our 6500 and 7600 series Cisco devices. We are running Supervisor 720/PFC3a blades, native IOS.
Commands added to get Netflow working:

mls aging fast time 8 threshold 127

mls aging normal 32

mls nde sender version 5

ip flow-export destination

ip flow-export version 5

ip flow-export source

Under VLAN interfaces and WAN port interfaces:

ip route-cache flow

With these command I was able to get some traffic but not all. One thing I noticed was that I had “no mls flow ip” in my config. This command controls the flow mask that decides what in the netflow traffic to track.

When I tried to change this to “mls flow ip full” or just about any other combination of this command I would get the following errror:

% Unable to configure flow mask for ip protocol: full. Reset to the default flow mask type: none

After a ton of digging and some help from Cisco TAC we are able to get around this with the command “mls flow ip interface-destination-source“. The reason this was happening was because we are doing NAT on our MSFC. Nat uses a flow mask as well and with the exception of the above setting will conflict with mls mask settings.

After changing the flow mask everything is now coming through.