I recently updated a 7200 series router to a 7600 series – quite a big change. The config used was exactly the same and I couldn’t for the life of me work out why netflow was showing such a small amount of traffic. In short it turns out you need to enable something called NDE (Netflow Data Export). Without this enabled the router will only export flows for the MSFC which is mainly management traffic.
All you need to add is the following line in addition to the normal flow export lines:
mls nde sender version 5
The following guide was quite useful for this: http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/nde.html
So if you’re using an RSP720 or similar and find that you’re not seeing as much traffic as you should be when enabling netflow then this is likely why.
Hope this helps someone.
You should be aware that there are significant caveats with NetFlow on pre-Sup2T 7600s & 6500s which severely degrades its operational utility.
1. No packet-sampled control of flow creation – i.e., sampled NetFlow. The sampling performed is post-flow-creation flow sampling, which only serves to make the statistics less accurate.
2. Limited TCAM space coupled with the aforementioned lack of true sampled NetFlow means that NDE cache overflow can happen at any time, leading to non-deterministically-skewed statistics which exclude an unknown amount of traffic.
3. No logical or of TCP flags on TCP flows – no way to detect/classify SYN-floods, etc. Reduces value of NDE for troubleshooting purposes, as well.
4. No statistics for dropped traffic – if traffic is being dropped by an ACL, uRPF, etc., but is still consuming link capacity and/or pummeling your box, you will not see statistics on this traffic as you do on other platforms.
If NetFlow (and uRPF, and ACLs) are at all important to you, I strongly urge you to upgrade to a Sup2T and to upgrade any DFC-enabled linecards to DFC4s. Otherwise, you’ll get very little utility from NetFlow on the 7600, and you’ll be restricted to one global uRPF mode for all interfaces and will have obscure limitations on ACL construction, as well.