Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Cisco Netflow Technology with Alex Vassiliadis. Alex is a Technical Assistance Center (TAC) customer support engineer at Cisco Systems, Inc. NetFlow is one of his areas of expertise. Alex joined Cisco in 2000 after having several years of experience in network troubleshooting and design. Remember to use the rating system to let Alex know if youve received an adequate response.
Alex might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27. Visit this forum often to view responses to your questions and the questions of other community members.
1. I have got two XP Home machines and one 98 laptop linked to an Origo
ADSL route. The XP machines are set to obtain IP address automatically
which they do (one is set to '192.168.0.5' and the other
'192.168.0.7'). The 98 laptopshould be coming up on the ipconfig as '192.168.0.6' but
instead it comes up as '0.0.0.0'? I hace pinged the laptop's network
card and got a reply but i get no reply from the XP machines. I've
checked the cables and they are fine so I ampretty much stuck.
2. Just network. It goes from cable modemto hub, my main computer is
aclso connected to hub and so is my wireless router. or some reason
eveything works fine for 3-5 hrs, but then all of a sudden everything stops
and I do mean everything. The only way to get network to come back is
to rebbot my main computer which has a RealTek Rt18139 nic card. Could
you give me insight to why that one nic card is fouling up the whole
system every 3-5 hrs. I know its the nic card because as soon as I reboot
the computer with it everything comes back on-line. I just don't see
how a nic card that is just connected to a hub is inadvertently causing
everything to stop.I know its not the cable modem ba\ecause I called
them before I rebooted and they said it was fine. I'm ona custon built
computer, its a AMD2600 on a 57 Triton GA-tvt600 mothewrboard. The hub is
a netgear DSs104 and the router is a SMC7004 and I recently changed to
a Toshiba PX2600 cable modem. Please tell me what is going on and how
to fix it. My cable modem service provider is also baffled because one
nic card on a hub should'nt effect the entire network.
3. Hi! I have been having this problem since i Got may Gateway
computer. I have 3 computers and all hook up to a Netgear Wireless router and
this router connected to a DSL modem. First let me introduce thewe 3
Gateway 1GHZ with D-link NIC Card. 10/100 Mps. Running XP Pro. (boot
leg version) Which this computer is closest to the router?
Sony Vaio 1.6 GHZ Laptop Running factory XP Pro. and using both Netgear
Wireless PCMCIA and Built in Ethernet Port. (not at the same time)
Gateway 2.4GHZ running factory XP Home, connected to the router via
builtin Ehternet port. (Just got this machine 2 days ago.)
All version of Windows have the SP1 upgrade.
1st - I got get internet access for all three computers.
2nd - When log on the router menu page, All 3 computers have unique IP
3rd - I am able to ping each address from all 3 computers.
4th - All 3 computers are on the same workgroup. Configured either
manually or used the wizard.
5th - I am able to see all 3 computers on my Gateway machine ONLY.
6th - All computers have folders that are shared.
7th - File sharing were all turned on at all computers.
8th - XP building firewall were disabled.
9th - All computers have the same user names and password, and this
user has admin profile.
1st. Only able to see all 3 computers on the gateway machine ONLY.
2nd. Unable to browse the network workgroups via the other 2 computer.
Saying I do not have permission to browse the selected network. contack
3rd. Unable to to see your won share folders from "view workgroup
computers" with my vaio and dell if I have them on the same workgroup. But
if I can workgroup for VAIO and DELL, I am able to see myself but not
4th. When attempting to gain access from Gateway to my other 2
computers on my workgroup. I am able to see my own share folders for Gateway,
but when I try access my share folder from Vaio and DELL (remember
Gateway is the only computer which can see the other computers from the same
workgroup). It comes back saying the "\\WORKGROUP is not accessible.
You might not have permission to use this network resource. Contact the
administrator of this server to find out if you have access permissions.
THE NETWORK PATH WAS NOTFOUND." (for VAIO and DELL)
5th. I can do a search computer at Gateway using XP's Search feature. I
am able to find those computers (VAIO and DELL) but when I click on
them, it gives me the same message that i mentioned earlier
6th. When I do a search at DELL or VAIO (Like I did with my Gateway) I
can not find the others.
7th. The most funny part is I am able to take my VAIO to work and hook
up to a simple Hub and I am able to share file with my old 400MHz
Micron at work running windows98.
ANY ONE HAS ANY IDEA???
4. I have a computer that has always connected to a domain. I have
changed the domain to a workgroup and cannot log into the computer. I have
logged into the admin account and it does'nt show the previous
account/profile that i have been logging into for a long time now, very
strange. In order to get back into that profile do i have to be within the
doamin on the Admin Account and change out of the workgroup to the domain
+ reboot + log in with my original user account? Where did the profile
go? It exists under Documents and Settings folder, but not under user
profiles in sys properties... Have i lost it all. PS. If i cannot get
into the previous account... There are about 2 years worth of emails. (MS
Outlook) Can i get to them and save them...? Is there a way I can
Re-install or repair the TCP/IP Protocol and/or Drivers for Windows XP Home
5. I am trying to set up home networking with all of us sharing the
net. Both my modem (Direcway) and the router have DHCP. Is that a problem?
I can access the net when I hook he modem directly to my computer, but
whenI run it through the WAN on the D-link router I lose everything
unable to access the net. I am able to ping the router with a response, so
it confuses me to wh the net is lost when i hook it up to the router. I
am running XP Pro, my mohter's is XP Home and 2 other pcs are running
ME. Do you think I should start from square once again and run the home
networkin wizard on all 4 computers first, then add the internet safter
the networking is established? I hope someone can help, I know this is
probably just something really simple that i am missing.
6. Weird problem and could use anyone Exploer expertise.
System: PC with Win2000, IE 6. do use windows auto update feature for
Problem: Click to start IE and begins to lad then comes up with red x
box with msg SYSFADER: IEEXPLORER.EXE Application Error. Underneath says
The instruction at 0x782f3439 referenced memory at xxxxxxxx(varies eact
time) The menory could not be read. Click ok to terminate program.
Happens eveyrtime, tried deleting IE and reloading , however everytime I
delete and reload it, during the reload process it says IE is still there
and do you want to oerwrite it?, which I do. No effect. Netscape works
fine as do all my other internet/email links. Nothing that i am aware
of changed, no new programs ar downloads,however this is my childerns PC
so who knows. Weird? I suspect the problem is in IE but cannot seem to
delete it properly.
7. When installing something for example, office 2000. It says I dont
have accessability to install it. And when trying to disable my LAN
connection it won't disable for me. What is the problem> Do you have to
change stuff in the users abd passwords?
8. Hi! Can anyone tell me why after some time from Windows XP
installation, I cna't open the folders from network computers? I can see the
computers on the network, I can see their content, but when i try to open
a folder it tkaes about 15 min.!!! I started all the services to be
sure if not one of htem blocking the network but the problem persist. If I
install a fresh WinXP it works until 3-4 restarts. In Win98SE or
Win2000 it works just fine. Any Idea?
9. Have recently successfully crated a LAN (AMD-XP) and (P3). I ahve
also about a new g-forge 440 mx graphics card for the AMD and XP which
replaced the g-force 2 ON BOARD. I created the network mainly for gaming.
I was wondering is there any way the pentium 3 can use the onboard
gforce 2 with hardware sharing?
10. How do i prevent people ont the net from seeing my IP address/ or
hoe do i prevent a website from knowing exactly what my IP address is?
11. I have 3 PCs connected to a Linksys cable router. All get to the
internet fine. PC 1 & 2 are XP. PC 3 is laptop with Win95. All PC's using
TCP/IP. None using Netbios or Netbeui.
Problem: I can share files with the XP PC'.But cannot see the Win95 C
from the XP's and vice versa. On the 95, network neighborhood shows
computer. I have one computer using Win XP Pro, one with Win XP Home, and
one with Win98SE. My internet connection is DSL and Im Set up as
Internet - Modem - Linksys Router - to 3 computers using CAT5E cables.
All 3 computers connect to the internet and I have no problems there.
When I try and set up a home network, I use the wizard, I shared m
pictures, music and one laser printer. When the wizrad completes, it says it
si bridging the connection. Once that's done, I used my XP disc to set
up the network on Win98 computer and then the same with the WinXP Home
computer. Everything worked fine and we hae the network running.
Tehn at night the computer is shut down. In the morningwhen it is
booted up, I can't get on the internet (My Win XP Pro computer) I deleted
the bridged connections and set up the internet again. Im on the
internet, but we are not networked. The other 2 computers when booted up, are
not on any network (and nothing was changed on them). They have internet
access with no problem. I ussed the wizardagain and set up the network
and everything worked again. But as sson as my computer is shut down
and started up again, I run itno the same problem. Am I doing something
wrong in my hardware connections or something in my setup?
Hello Mary Jane
Thanks for writing to us. This forum is intended for
any questions related to Cisco NetFlow, you can find
more about it at http://www.csico.com/go/netflow
As your questions are not related to the
subject, please try to post them to other
more appropriate forums.
Many thanks in advance
Just to check what is the difference between Netflow and CEF? I noticed that some platform(i.e. cat45xx?) got netflow feature card. Does that mean netflow is hardware dependent? Thanks!
Thanks for your question, the answer is "it depends".
NetFlow services run on top of existing switching paths:
fast-switching, CEF, dCEF. The switching may be done in software
(generally on routers) or in hardware (on switches).
Note, that on MLS switches (cat5k; cat6k with sup1a)
packet switching and NetFlow are even based on the same flow cache.
Being based on the switching path, Netflow services
on switches are also done in hardware.
The packaging varies on different switch models,
with special feature cards (Netflow Services Card WS-F4531
for cat4500 SupIV or NFFC for cat5k) and without them
On routers, NetFlow is mostly done in software.
An example of hardware NetFlow implementation on routers
is c12000 engine 4+ based linecards.
To mention, on c10000 platform, NetFlow is implemented on PXF processors.
A link about PXF on c10000 PRE
Also, note that NetFlow data export part is done in software.
I basically use Netflow for informational purposes to know what kind of traffic is flowing through my router. Is this a right usage?. Also, on my 7507, I noticed that when I have cef distributed enabled, I cannot see all the flows. With just cef enabled, all the flows shows. I'm afraid that I might have a performance issue as my switching is done on my RSP rather than on the line card. What do you suggest.
NetFlow has various applications, including
Accounting and Billing, Network Monitoring and planning,
Application and User monitoring and profiling,
Network Troubleshooting, Security Analysis/DoS Detection.
The usage you mentioned is one of those possible.
In regards to not seeing all flows with dCEF.
In distributed CEF mode NetFlow Services are also distributed,
and so each VIP has its own NetFlow cache table.
If you are looking at the flows from IOS CLI, then
to display NetFlow cache on the particular VIP, you need to:
- connect to the VIP with
sh ip cache flow
Please let me know if this helps.
How do you gracefully get out of the VIP to get back to the router , have tried the exit and logout commands those do not work ,just takes you back to a lets get started prompt . Any help appreciated .
Hi Alex! If we change V8 as-tos to V9 raw (no router-based aggregation or with tos-prefix) with 10x or 100x sampling, would we get any cpu/memory performance boost?
P.S. Sorry for using reply button, didn"t find Post button on the page.
Thanks for participating in this event.
Changing just the export format (v9 vs v8) will
not affect performace.
Moving from non-sampled NetFlow to sampled NetFlow
will reduce CPU consumption. We've seen the following
numbers in a c7500 test:
x100 - CPU impact reduced by ~75%
x1000 - CPU impact reduced by ~82%
Turning on router-based aggregation(s) has minimal to no
impact on CPU.
Please take a look into the "NetFlow Performance Analysis" whitepaper, published recently, at:
for more details and numbers.
We are interested in looking at NetFlow data for our WAN links. We will soon have a MPLS any-any topology, requiring us to enable NetFlow on our edge routers to get the statistics we want. My current understanding is that NetFlow is an ingress-only technology, requiring us to enable NetFlow on all of our interfaces to get the WAN traffic in both directions. Are there plans to make NetFlow ingress and egress so that we would only have to enable it on our WAN interfaces?
Thanks for your question.
In MPLS/VPN topologies, you can now use MPLS Egress Netflow:
This feature is configured on an egress interface, but it is
still implemented on the ingress side.
Currently, we also have:
- Egress sampled netflow on c12000 Engine3 linecards
- NetFlow for Multicast (with egress)
And, yes, generic "Egress Netflow" is planned for future releases of 12.2S and 12.3T.
I hope this information is helpful to you.
We have NFC 4.0 (1.0) installed on the appliance with the Linux OS ( Kernel 2.4.18-3on a IE 2100) rel 7.3
The NDA is installed on a sun box with solaris version 2.8 and NDA version 3.6 (1)
The problem we are facing is that the NDA is not able to communicate with the Collector. The collector state is shown as unknown and comes up with an error saying could not open connection to collector (IP) on port 8550 as user nfcuser.
We are able to mount the collector (manually) on the NDA and see its contents and the collector and NDA are on the same subnet.
Will be a great help if you can throw some light on the areas to troubleshoot for this issue.
There are known issues with config and control protocol that cause this.
As there is no further engineering on NDA, a decision has been made not
to fix this. We recommend customers, who are interested in the NDA functionality,
to migrate to NFC5.0, which has Web GUI and reporting capabilities.
You can find more on NFC5.0 at
NFC5.0 Linux version will be out in March, per the current schedule.
I am using netflow to monitor bandwidth comsumption of some servers in our datacenter. I just noticed that the servers running streaming services sometimes present strange flow values (much higher than the total bandwidth - like 100 times). I am exporting the flows each 5 minutes (not waiting for the flow to finish). Is there any issue with streaming protocols in netflow version 5? how can I troubleshoot this problem with no impact in the enviroment.
To troubleshoot this, more info needs to be collected about the issue.
From your description it looks like you see wrong byte counters in some flows.
What is the percentage of the problematic flows? How frequently do you see them?
Are you looking at these flows on the collector? Do you use Cisco NFC for this?
Please give an example of the problematic flow in details, e.g. DetailCallRecord
from Cisco NFC. Also, more information about the exporting device is needed,
hardware and software involved, the config. You can send this to me via email.
It was discovered that Netflow offers many features e.g. WAN monitoring, billing etc and is currently used to monitor WAN traffic. Unfortunately, this data is only viewed within the router and not extracted to another computer.
Are there any third-party or Cisco solutions that would facilitate the collection and reporting of this data within a Windows 2000 Server computer.
Is it possible to configure HP Openview to capture and review Netflow data? If so, what configurations are required?
Yes, you certainly need an NMS application
to use NetFlow data more efffectively.
You can find a list of "NetFlow NMS Applications and Partners" at:
(this can be reached from http://www.cisco.com/go/netflow)
A number 3rd party solutions is for Windows.
Cisco does not have a Windows-based collector.
In regards to HP OpenView, it's a large product family
and some of the products have certain NetFlow support.
For more details, please check out the HP link from the URL above.
I'm using nde on two 6500s running native 12.1(13)E11. nextHop and outputint is set to 0 in all flows. I've seen bugIDs for the same problem with CatOS, but nothing for native. Is this a known problem, and if so, is there a fix?
Those are so-called "additional" fields on cat6k, which you need
to enable separately. Please doublecheck that it's enabled, according to:
It was decided to have it off by default due to some
additional processing invloved.
Both sFlow and NetFlow provide a way of traffic monitoring and stats collection.
Cisco NetFlow is a de-facto standard in the industry. NetFlow v9 was selected
by IETF IPFIX working group to be a foundation for the Standard RFC development.
sFlow was developed by InMon, it's described in the Informational RFC 3176,
unlikely to ever become a standard.
NetFlow is more widely adopted. The main supporter of sFlow, Foundry, has recently
implemented NetFlow as well.
sFlow uses sampling to gather statistical traffic information, utilizing
first 128 bytes of the packet. Note, that Foundry does not recommend to change the
default sampling rate 1/8192 (higher platforms), due to excessive CPU load.
Sampling is mandatory with sFlow, with NetFlow you have a choice of using it.
Both sFlow and NetFlow have a performance impact.
There is no difference in the reliability of export, both use UDP.
The main advantage of sFlow is its ability to collects Layer 2 and non-IP (IPX, Appletalk..)
information, while NetFlow is only for IP.
Some of the NetFlow advantages:
- various aggregations at the device level
- random sampling (vs determenistic sampling with sFlow)
- extensibility with NetFlow v9
- flow filtering to get stats on a subset of flows only
- widely adopted (many hardware and software vendors)
- can co-exist with port monitoring (not a case with sFlow)
I hope this provides the essential overall picture.
I have some questions about memory impact of NetFlow on Cisco routers. What is the typical size of a single NetFlow record in bytes? Could you please give me recommendations on the "ip flow-cache entries" parameter for 64MB 2600 router?
Also, it would be nice to know memory impact of the "ip accounting" compared to NetFlow. How much memory is consumed by a single "ip accounting" record?
A typical size of a single netflow record is 64 bytes.
The default netflow cache size is 64K entries, but it varies per platform,
e.g. it is 4K on lower platforms (like on c2600 for example).
You can see actual value in "sh ip cache flow" (active+inactive).
There you can also see the total size in bytes, which includes netflow cache size plus hash table size.
Hash table size is 4 bytes*number_of_entries at max.
The following algorithm is used to ensure that free flow entries are always available.
Each time a new flow is taken from the free flow queue, the number of free flows is checked.
If only a few free flows remain, NetFlow attempts to age 30 flows using an accelerated timeout.
If only one free flow remains, NetFlow automatically ages 30 flows regardless of their age.
We recommend not to change the default cache size!
But, generally, look for "flow alloc failures" in "sh ip cache flow"
and then you can think about an increase, if needed.
In regards to IP Accounting, it's an old technology, which provides less info
and does not have a notion of flow; it's less scalable (does not support dCEF).
IP Accounting record is up 28 bytes max. You can control the memory usage by setting a threshold.
It's a pull model (poll via SNMP), while NetFlow is a push model (export via UDP).
NetFlow is not supported on cat3550 platform.
You may consider using cat4500 with SupIV and Netflow Services Card.