Netflow on MLS switches

I had some trouble today at office with monitoring flows going through a MLS switch.

The Nfsen collector was working well for our routers, but I came to realize there were something definitely wrong with the traffic going through a Cisco 6500 switch.

The traffic reported was way below the real one.

After some research, what I suspected was confirmed by this documentation from Cisco.

Some more steps are required to make Netflow report flow processed by the switching module.

Otherwise, as only the first packet is routed and the following ones are switched by CEF, Netflow will only see the first packet at layer 3.

That explains why the reported traffic was ridicoulously small.

So, where on routers the following commands are enough :

(config)# ip cef
(config)# ip flow-export version 5
(config)# ip flow-export destination 1234
(config)# interface fa 1
(config-if)# ip route-cache flow

On MLS switches (like 6500 or 7200), add :

(config)# mls netflow
(config)# mls nde sender
(config)# mls aging long 64
(config)# mls flow ip full

The commands are described there. Unfortunately, as often with Cisco, they may vary depending on the IOS version your are running.