Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Cisco Netflow Technology with Alex Vassiliadis. Alex is a Technical Assistance Center (TAC) customer support engineer at Cisco Systems, Inc. NetFlow is one of his areas of expertise. Alex joined Cisco in 2000 after having several years of experience in network troubleshooting and design. Remember to use the rating system to let Alex know if you’ve received an adequate response.

Alex might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27. Visit this forum often to view responses to your questions and the questions of other community members.

41 REPLIES
New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

1. I have got two XP Home machines and one 98 laptop linked to an Origo

ADSL route. The XP machines are set to obtain IP address automatically

which they do (one is set to '192.168.0.5' and the other

'192.168.0.7'). The 98 laptopshould be coming up on the ipconfig as '192.168.0.6' but

instead it comes up as '0.0.0.0'? I hace pinged the laptop's network

card and got a reply but i get no reply from the XP machines. I've

checked the cables and they are fine so I ampretty much stuck.

2. Just network. It goes from cable modemto hub, my main computer is

aclso connected to hub and so is my wireless router. or some reason

eveything works fine for 3-5 hrs, but then all of a sudden everything stops

and I do mean everything. The only way to get network to come back is

to rebbot my main computer which has a RealTek Rt18139 nic card. Could

you give me insight to why that one nic card is fouling up the whole

system every 3-5 hrs. I know its the nic card because as soon as I reboot

the computer with it everything comes back on-line. I just don't see

how a nic card that is just connected to a hub is inadvertently causing

everything to stop.I know its not the cable modem ba\ecause I called

them before I rebooted and they said it was fine. I'm ona custon built

computer, its a AMD2600 on a 57 Triton GA-tvt600 mothewrboard. The hub is

a netgear DSs104 and the router is a SMC7004 and I recently changed to

a Toshiba PX2600 cable modem. Please tell me what is going on and how

to fix it. My cable modem service provider is also baffled because one

nic card on a hub should'nt effect the entire network.

3. Hi! I have been having this problem since i Got may Gateway

computer. I have 3 computers and all hook up to a Netgear Wireless router and

this router connected to a DSL modem. First let me introduce thewe 3

computers.

Gateway 1GHZ with D-link NIC Card. 10/100 Mps. Running XP Pro. (boot

leg version) Which this computer is closest to the router?

Sony Vaio 1.6 GHZ Laptop Running factory XP Pro. and using both Netgear

Wireless PCMCIA and Built in Ethernet Port. (not at the same time)

Gateway 2.4GHZ running factory XP Home, connected to the router via

builtin Ehternet port. (Just got this machine 2 days ago.)

All version of Windows have the SP1 upgrade.

FACTS:

1st - I got get internet access for all three computers.

2nd - When log on the router menu page, All 3 computers have unique IP

addresses.

3rd - I am able to ping each address from all 3 computers.

4th - All 3 computers are on the same workgroup. Configured either

manually or used the wizard.

5th - I am able to see all 3 computers on my Gateway machine ONLY.

6th - All computers have folders that are shared.

7th - File sharing were all turned on at all computers.

8th - XP building firewall were disabled.

9th - All computers have the same user names and password, and this

user has admin profile.

Problem:

1st. Only able to see all 3 computers on the gateway machine ONLY.

2nd. Unable to browse the network workgroups via the other 2 computer.

Saying I do not have permission to browse the selected network. contack

your administrator.

3rd. Unable to to see your won share folders from "view workgroup

computers" with my vaio and dell if I have them on the same workgroup. But

if I can workgroup for VAIO and DELL, I am able to see myself but not

others.

4th. When attempting to gain access from Gateway to my other 2

computers on my workgroup. I am able to see my own share folders for Gateway,

but when I try access my share folder from Vaio and DELL (remember

Gateway is the only computer which can see the other computers from the same

workgroup). It comes back saying the "\\WORKGROUP is not accessible.

You might not have permission to use this network resource. Contact the

administrator of this server to find out if you have access permissions.

THE NETWORK PATH WAS NOTFOUND." (for VAIO and DELL)

5th. I can do a search computer at Gateway using XP's Search feature. I

am able to find those computers (VAIO and DELL) but when I click on

them, it gives me the same message that i mentioned earlier

6th. When I do a search at DELL or VAIO (Like I did with my Gateway) I

can not find the others.

7th. The most funny part is I am able to take my VAIO to work and hook

up to a simple Hub and I am able to share file with my old 400MHz

Micron at work running windows98.

ANY ONE HAS ANY IDEA???

4. I have a computer that has always connected to a domain. I have

changed the domain to a workgroup and cannot log into the computer. I have

logged into the admin account and it does'nt show the previous

account/profile that i have been logging into for a long time now, very

strange. In order to get back into that profile do i have to be within the

doamin on the Admin Account and change out of the workgroup to the domain

+ reboot + log in with my original user account? Where did the profile

go? It exists under Documents and Settings folder, but not under user

profiles in sys properties... Have i lost it all. PS. If i cannot get

into the previous account... There are about 2 years worth of emails. (MS

Outlook) Can i get to them and save them...? Is there a way I can

Re-install or repair the TCP/IP Protocol and/or Drivers for Windows XP Home

Edition?

5. I am trying to set up home networking with all of us sharing the

net. Both my modem (Direcway) and the router have DHCP. Is that a problem?

I can access the net when I hook he modem directly to my computer, but

whenI run it through the WAN on the D-link router I lose everything

unable to access the net. I am able to ping the router with a response, so

it confuses me to wh the net is lost when i hook it up to the router. I

am running XP Pro, my mohter's is XP Home and 2 other pcs are running

ME. Do you think I should start from square once again and run the home

networkin wizard on all 4 computers first, then add the internet safter

the networking is established? I hope someone can help, I know this is

probably just something really simple that i am missing.

6. Weird problem and could use anyone Exploer expertise.

System: PC with Win2000, IE 6. do use windows auto update feature for

security/other updates.

Problem: Click to start IE and begins to lad then comes up with red x

box with msg SYSFADER: IEEXPLORER.EXE Application Error. Underneath says

The instruction at 0x782f3439 referenced memory at xxxxxxxx(varies eact

time) The menory could not be read. Click ok to terminate program.

Happens eveyrtime, tried deleting IE and reloading , however everytime I

delete and reload it, during the reload process it says IE is still there

and do you want to oerwrite it?, which I do. No effect. Netscape works

fine as do all my other internet/email links. Nothing that i am aware

of changed, no new programs ar downloads,however this is my childerns PC

so who knows. Weird? I suspect the problem is in IE but cannot seem to

delete it properly.

7. When installing something for example, office 2000. It says I dont

have accessability to install it. And when trying to disable my LAN

connection it won't disable for me. What is the problem> Do you have to

change stuff in the users abd passwords?

8. Hi! Can anyone tell me why after some time from Windows XP

installation, I cna't open the folders from network computers? I can see the

computers on the network, I can see their content, but when i try to open

a folder it tkaes about 15 min.!!! I started all the services to be

sure if not one of htem blocking the network but the problem persist. If I

install a fresh WinXP it works until 3-4 restarts. In Win98SE or

Win2000 it works just fine. Any Idea?

9. Have recently successfully crated a LAN (AMD-XP) and (P3). I ahve

also about a new g-forge 440 mx graphics card for the AMD and XP which

replaced the g-force 2 ON BOARD. I created the network mainly for gaming.

I was wondering is there any way the pentium 3 can use the onboard

gforce 2 with hardware sharing?

10. How do i prevent people ont the net from seeing my IP address/ or

hoe do i prevent a website from knowing exactly what my IP address is?

11. I have 3 PCs connected to a Linksys cable router. All get to the

internet fine. PC 1 & 2 are XP. PC 3 is laptop with Win95. All PC's using

TCP/IP. None using Netbios or Netbeui.

Problem: I can share files with the XP PC'.But cannot see the Win95 C

from the XP's and vice versa. On the 95, network neighborhood shows

computer. I have one computer using Win XP Pro, one with Win XP Home, and

one with Win98SE. My internet connection is DSL and Im Set up as

follows:

Internet - Modem - Linksys Router - to 3 computers using CAT5E cables.

All 3 computers connect to the internet and I have no problems there.

When I try and set up a home network, I use the wizard, I shared m

pictures, music and one laser printer. When the wizrad completes, it says it

si bridging the connection. Once that's done, I used my XP disc to set

up the network on Win98 computer and then the same with the WinXP Home

computer. Everything worked fine and we hae the network running.

Tehn at night the computer is shut down. In the morningwhen it is

booted up, I can't get on the internet (My Win XP Pro computer) I deleted

the bridged connections and set up the internet again. Im on the

internet, but we are not networked. The other 2 computers when booted up, are

not on any network (and nothing was changed on them). They have internet

access with no problem. I ussed the wizardagain and set up the network

and everything worked again. But as sson as my computer is shut down

and started up again, I run itno the same problem. Am I doing something

wrong in my hardware connections or something in my setup?

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hello Mary Jane

Thanks for writing to us. This forum is intended for

any questions related to Cisco NetFlow, you can find

more about it at http://www.csico.com/go/netflow

As your questions are not related to the

subject, please try to post them to other

more appropriate forums.

Many thanks in advance

Alex Vassiliadis

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi, Alex

Just to check what is the difference between Netflow and CEF? I noticed that some platform(i.e. cat45xx?) got netflow feature card. Does that mean netflow is hardware dependent? Thanks!

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hello Rong,

Thanks for your question, the answer is "it depends".

NetFlow services run on top of existing switching paths:

fast-switching, CEF, dCEF. The switching may be done in software

(generally on routers) or in hardware (on switches).

Note, that on MLS switches (cat5k; cat6k with sup1a)

packet switching and NetFlow are even based on the same flow cache.

Being based on the switching path, Netflow services

on switches are also done in hardware.

The packaging varies on different switch models,

with special feature cards (Netflow Services Card WS-F4531

for cat4500 SupIV or NFFC for cat5k) and without them

(cat6k).

On routers, NetFlow is mostly done in software.

An example of hardware NetFlow implementation on routers

is c12000 engine 4+ based linecards.

To mention, on c10000 platform, NetFlow is implemented on PXF processors.

A link about PXF on c10000 PRE

http://www.cisco.com/en/US/products/hw/routers/ps133/products_white_paper09186a008008902a.shtml

Also, note that NetFlow data export part is done in software.

Many regards

Alex

Silver

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

I basically use Netflow for informational purposes to know what kind of traffic is flowing through my router. Is this a right usage?. Also, on my 7507, I noticed that when I have cef distributed enabled, I cannot see all the flows. With just cef enabled, all the flows shows. I'm afraid that I might have a performance issue as my switching is done on my RSP rather than on the line card. What do you suggest.

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Olorunloba

NetFlow has various applications, including

Accounting and Billing, Network Monitoring and planning,

Application and User monitoring and profiling,

Network Troubleshooting, Security Analysis/DoS Detection.

The usage you mentioned is one of those possible.

In regards to not seeing all flows with dCEF.

In distributed CEF mode NetFlow Services are also distributed,

and so each VIP has its own NetFlow cache table.

If you are looking at the flows from IOS CLI, then

to display NetFlow cache on the particular VIP, you need to:

- connect to the VIP with

if-con

- do

sh ip cache flow

Please let me know if this helps.

Many regards

Alex

Purple

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

How do you gracefully get out of the VIP to get back to the router , have tried the exit and logout commands those do not work ,just takes you back to a lets get started prompt . Any help appreciated .

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Glen

This is rather off-topic, but ^C^C^C should help you.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi, Alex

Thanks for your explanation. You answered my question. Thanks!

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Alex! If we change V8 as-tos to V9 raw (no router-based aggregation or with tos-prefix) with 10x or 100x sampling, would we get any cpu/memory performance boost?

Thanks, Paul.

P.S. Sorry for using reply button, didn"t find Post button on the page.

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Paul,

Thanks for participating in this event.

Changing just the export format (v9 vs v8) will

not affect performace.

Moving from non-sampled NetFlow to sampled NetFlow

will reduce CPU consumption. We've seen the following

numbers in a c7500 test:

x100 - CPU impact reduced by ~75%

x1000 - CPU impact reduced by ~82%

Turning on router-based aggregation(s) has minimal to no

impact on CPU.

Please take a look into the "NetFlow Performance Analysis" whitepaper, published recently, at:

http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wp.htm

for more details and numbers.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

We are interested in looking at NetFlow data for our WAN links. We will soon have a MPLS any-any topology, requiring us to enable NetFlow on our edge routers to get the statistics we want. My current understanding is that NetFlow is an ingress-only technology, requiring us to enable NetFlow on all of our interfaces to get the WAN traffic in both directions. Are there plans to make NetFlow ingress and egress so that we would only have to enable it on our WAN interfaces?

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Dave

Thanks for your question.

In MPLS/VPN topologies, you can now use MPLS Egress Netflow:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s22/egress.htm

This feature is configured on an egress interface, but it is

still implemented on the ingress side.

Currently, we also have:

- Egress sampled netflow on c12000 Engine3 linecards

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s24/12soutfl.htm

- NetFlow for Multicast (with egress)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/nfmultic.htm

And, yes, generic "Egress Netflow" is planned for future releases of 12.2S and 12.3T.

I hope this information is helpful to you.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

We have NFC 4.0 (1.0) installed on the appliance with the Linux OS ( Kernel 2.4.18-3on a IE 2100) rel 7.3

The NDA is installed on a sun box with solaris version 2.8 and NDA version 3.6 (1)

The problem we are facing is that the NDA is not able to communicate with the Collector. The collector state is shown as unknown and comes up with an error saying could not open connection to collector (IP) on port 8550 as user nfcuser.

We are able to mount the collector (manually) on the NDA and see its contents and the collector and NDA are on the same subnet.

Will be a great help if you can throw some light on the areas to troubleshoot for this issue.

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Ravi

There are known issues with config and control protocol that cause this.

As there is no further engineering on NDA, a decision has been made not

to fix this. We recommend customers, who are interested in the NDA functionality,

to migrate to NFC5.0, which has Web GUI and reporting capabilities.

You can find more on NFC5.0 at

http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/ps5655/index.html

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cns_nfc/rel_5/index.htm

NFC5.0 Linux version will be out in March, per the current schedule.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hello,

I am using netflow to monitor bandwidth comsumption of some servers in our datacenter. I just noticed that the servers running streaming services sometimes present strange flow values (much higher than the total bandwidth - like 100 times). I am exporting the flows each 5 minutes (not waiting for the flow to finish). Is there any issue with streaming protocols in netflow version 5? how can I troubleshoot this problem with no impact in the enviroment.

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hello Marcos

To troubleshoot this, more info needs to be collected about the issue.

From your description it looks like you see wrong byte counters in some flows.

What is the percentage of the problematic flows? How frequently do you see them?

Are you looking at these flows on the collector? Do you use Cisco NFC for this?

Please give an example of the problematic flow in details, e.g. DetailCallRecord

from Cisco NFC. Also, more information about the exporting device is needed,

hardware and software involved, the config. You can send this to me via email.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

It was discovered that Netflow offers many features e.g. WAN monitoring, billing etc and is currently used to monitor WAN traffic. Unfortunately, this data is only viewed within the router and not extracted to another computer.

Are there any third-party or Cisco solutions that would facilitate the collection and reporting of this data within a Windows 2000 Server computer.

Is it possible to configure HP Openview to capture and review Netflow data? If so, what configurations are required?

Thanks

Ian-Keith

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hello Ian-Keith

Yes, you certainly need an NMS application

to use NetFlow data more efffectively.

You can find a list of "NetFlow NMS Applications and Partners" at:

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/netflow_nms_apps_part.shtml

(this can be reached from http://www.cisco.com/go/netflow)

A number 3rd party solutions is for Windows.

Cisco does not have a Windows-based collector.

In regards to HP OpenView, it's a large product family

and some of the products have certain NetFlow support.

For more details, please check out the HP link from the URL above.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

I'm using nde on two 6500s running native 12.1(13)E11. nextHop and outputint is set to 0 in all flows. I've seen bugIDs for the same problem with CatOS, but nothing for native. Is this a known problem, and if so, is there a fix?

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Edmund

Those are so-called "additional" fields on cat6k, which you need

to enable separately. Please doublecheck that it's enabled, according to:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/nde.htm#88854

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Thanks, that worked. What's the logic in not having this on by default?

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Edmund,

It was decided to have it off by default due to some

additional processing invloved.

Many regards

Alex

New Member

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Could you discuss the similarities and differences between netflow and sflow?

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Cameron

Both sFlow and NetFlow provide a way of traffic monitoring and stats collection.

Cisco NetFlow is a de-facto standard in the industry. NetFlow v9 was selected

by IETF IPFIX working group to be a foundation for the Standard RFC development.

sFlow was developed by InMon, it's described in the Informational RFC 3176,

unlikely to ever become a standard.

NetFlow is more widely adopted. The main supporter of sFlow, Foundry, has recently

implemented NetFlow as well.

sFlow uses sampling to gather statistical traffic information, utilizing

first 128 bytes of the packet. Note, that Foundry does not recommend to change the

default sampling rate 1/8192 (higher platforms), due to excessive CPU load.

Sampling is mandatory with sFlow, with NetFlow you have a choice of using it.

Both sFlow and NetFlow have a performance impact.

There is no difference in the reliability of export, both use UDP.

The main advantage of sFlow is its ability to collects Layer 2 and non-IP (IPX, Appletalk..)

information, while NetFlow is only for IP.

Some of the NetFlow advantages:

- various aggregations at the device level

- random sampling (vs determenistic sampling with sFlow)

- extensibility with NetFlow v9

- flow filtering to get stats on a subset of flows only

- widely adopted (many hardware and software vendors)

- can co-exist with port monitoring (not a case with sFlow)

I hope this provides the essential overall picture.

Many regards

Alex

ovt Bronze
Bronze

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Alex!

I have some questions about memory impact of NetFlow on Cisco routers. What is the typical size of a single NetFlow record in bytes? Could you please give me recommendations on the "ip flow-cache entries" parameter for 64MB 2600 router?

Also, it would be nice to know memory impact of the "ip accounting" compared to NetFlow. How much memory is consumed by a single "ip accounting" record?

Thank you.

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Oleg,

A typical size of a single netflow record is 64 bytes.

The default netflow cache size is 64K entries, but it varies per platform,

e.g. it is 4K on lower platforms (like on c2600 for example).

You can see actual value in "sh ip cache flow" (active+inactive).

There you can also see the total size in bytes, which includes netflow cache size plus hash table size.

Hash table size is 4 bytes*number_of_entries at max.

The following algorithm is used to ensure that free flow entries are always available.

Each time a new flow is taken from the free flow queue, the number of free flows is checked.

If only a few free flows remain, NetFlow attempts to age 30 flows using an accelerated timeout.

If only one free flow remains, NetFlow automatically ages 30 flows regardless of their age.

We recommend not to change the default cache size!

But, generally, look for "flow alloc failures" in "sh ip cache flow"

and then you can think about an increase, if needed.

In regards to IP Accounting, it's an old technology, which provides less info

and does not have a notion of flow; it's less scalable (does not support dCEF).

IP Accounting record is up 28 bytes max. You can control the memory usage by setting a threshold.

It's a pull model (poll via SNMP), while NetFlow is a push model (export via UDP).

Many regards

Alex

Silver

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

How do/can I use Netflow on a 3550 switch.

Cisco Employee

Re: ASK THE EXPERT- CISCO NETFLOW TECHNOLOGY

Hi Olorunloba

NetFlow is not supported on cat3550 platform.

You may consider using cat4500 with SupIV and Netflow Services Card.

Many regards

Alex

211
Views
35
Helpful
41
Replies
CreatePlease to create content