Netflow operation

Unanswered Question
Jun 4th, 2008
User Badges:

We are currently evaluating Netflow collector programs and have a generic question. Should I be able to see and account for total data transferred through netflow data? We have been working with a 1Gb sample to understand how Netflow is configured and reports. The reporting always seems to be much smaller that the data sample we are using. The basic setup we are using is as follows..


Netflow configured on a remote 3640 router. We have added ip route-cache flow to both the serial and Fast Ethernet interfaces. I am exporting to a server here at corporate where the collector software is running. I am showing datagrams being exported to my collector. I am copying the large test file from our corporate office to a server on the remote LAN. The transferr takes several hours and I would expect the total bytes reported transferred to be the same or larger that the sample file. We are however consistently seeing a smaller value.


Is there something that I am missing? Should I not be able to account for 100% of the traffic flowing in / out of either link? Management wants to make sure that if we are going to use these types of tools that the reporting be accurate.


Brent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jan Nejman Wed, 06/04/2008 - 07:09
User Badges:
  • Bronze, 100 points or more

Hello,

did you see data from both interfaces, or only from one interface? What is you active timeout configuration on cisco? (I recommend set active timeout in the range from 1 to 2 minutes). I can offer you a test with another analyzer, so you can compare results (if problem is in the netflow configuration on your router or in the analyzer). Please, feel free to contact me directly (my email is [email protected]) Test can be done in several minutes... ;-)


Do you have disabled a netflow sampling?


Kind regards


Jan Nejman

Caligare, Co.

http://www.caligare.com/


bberry Wed, 06/04/2008 - 07:42
User Badges:

Jan,


Yes I have data from both the Serial and FastE interfaces. Other than the following everything on the Cisco is default. What does lowering the active timeout do? I am not sure about disabling a netflow sample.


ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination 172.16.4.4 2055

Jan Nejman Wed, 06/04/2008 - 07:46
User Badges:
  • Bronze, 100 points or more

Try the following:

router(config)# ip flow-cache timeout active 1

router(config)# ip flow-cache timeout inactive 10


Maybe you get a better result.


Jan




Actions

This Discussion