Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
0
Helpful
3
Replies

Netflow operation

bberry
Level 1
Level 1

‎06-04-2008 05:41 AM

We are currently evaluating Netflow collector programs and have a generic question. Should I be able to see and account for total data transferred through netflow data? We have been working with a 1Gb sample to understand how Netflow is configured and reports. The reporting always seems to be much smaller that the data sample we are using. The basic setup we are using is as follows..

Netflow configured on a remote 3640 router. We have added ip route-cache flow to both the serial and Fast Ethernet interfaces. I am exporting to a server here at corporate where the collector software is running. I am showing datagrams being exported to my collector. I am copying the large test file from our corporate office to a server on the remote LAN. The transferr takes several hours and I would expect the total bytes reported transferred to be the same or larger that the sample file. We are however consistently seeing a smaller value.

Is there something that I am missing? Should I not be able to account for 100% of the traffic flowing in / out of either link? Management wants to make sure that if we are going to use these types of tools that the reporting be accurate.

Brent

Labels:
0 Helpful
3 Replies 3

Jan Nejman
Level 3
Level 3

‎06-04-2008 07:09 AM

Hello,

did you see data from both interfaces, or only from one interface? What is you active timeout configuration on cisco? (I recommend set active timeout in the range from 1 to 2 minutes). I can offer you a test with another analyzer, so you can compare results (if problem is in the netflow configuration on your router or in the analyzer). Please, feel free to contact me directly (my email is nejman@caligare.com) Test can be done in several minutes... ;-)

Do you have disabled a netflow sampling?

Kind regards

Jan Nejman

Caligare, Co.

http://www.caligare.com/

0 Helpful

bberry
Level 1
Level 1
In response to Jan Nejman

‎06-04-2008 07:42 AM

Jan,

Yes I have data from both the Serial and FastE interfaces. Other than the following everything on the Cisco is default. What does lowering the active timeout do? I am not sure about disabling a netflow sample.

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination 172.16.4.4 2055

0 Helpful

Jan Nejman
Level 3
Level 3
In response to bberry

‎06-04-2008 07:46 AM

Try the following:

router(config)# ip flow-cache timeout active 1

router(config)# ip flow-cache timeout inactive 10

Maybe you get a better result.

Jan

0 Helpful
Customers Also Viewed These Support Documents