Inaccurate Netflow Data?

Unanswered Question
Oct 20th, 2009

I'm having a strange issue. We have a router that is connected to an OC12 and it is sending ingress netflow data on all layer 3 interfaces.

The thing that I'm seeing is that the bandwidth utilization will go over the bandwidth of the OC12. I've seen spikes as high as 900Mbps.

Now these are only spikes and will only appear over a one minute sample, so it is not something that's maintained, but it is still an issue because now I'm afraid that I'm getting bad data.

Any thoughts?

Thanks.

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jan Nejman Tue, 10/20/2009 - 07:27

It is very strange. Which analyzer do you using? Try contact your software distributor for more detail debugging.

I noted that I found the similar problem in Scrutinizer. Scrutinizer is counting the long time flow (i.e. 500MB data flow) in the exporting time. So it producing a spice 500MB in one minute instead of distribution of flow in the time.

Jan

jason.williams@... Tue, 10/20/2009 - 07:33

I'm actually using 2 right now in trying to figure this out.

Lancope Stealthwatch and NetScout

Both of them are showing the same spikes over the bandwidth. However I'm seeing another odd thing between the two of them. The graphs are not identical, one will have a spike where the other doesn't.

Overall, they're pretty close, just the odd spike. The main thing is that they are both showing the same spikes that are over the OC12 bandwidth.

Jan Nejman Tue, 10/20/2009 - 07:56

Hello,

maybe you can solve this by decreasing active flow timeout. Which Cisco device do you using? Did you configure active flow timeout (or mls long aging)?

Jan

jason.williams@... Tue, 10/20/2009 - 08:02

In this case, it's a 6509-E.

I did configure both.

active flow timeout is set to 1

mls long aging is set to 64

Jan Nejman Tue, 10/20/2009 - 08:12

It is a strange. The configuration looks OK. Can you more debug which flow cause a spike? I.e. web traffic from source A to destination B? Is it one flow or more flows? Try to enable ip top talkers (ip flow-top-talkers) and compare your results with the "show ip flow top-talkers".

If you will find the same results in IOS CLI, the problem is with your line card. If not the problem will be with the analyzer.

Jan

yjdabear Tue, 10/20/2009 - 08:01

"Spike" rings a bell:

mls aging long 300 <-- we use 64

"This breaks up long-lived flows into 5-minute segments. choose any number of seconds between 64 and 900; if you leave the default of 900 seconds (15 minutes) you will get spikes in your utilization reports." -- don't recall where I got this quote from.

There're a number of other variables to tune:

mls aging fast threshold

mls aging normal

ip flow-cache timeout active

ip flow-cache timeout inactive

Actions

This Discussion