Does anybody know when a router sends NDE export datagrams to the Collector? Cisco configuration guide says that it'd occur every 15 seconds or when the number flows reaches a predetermined maximum. What I'm not sure about is the 2nd part of that statement "predetermined maximum". Does anybody know what that "predetermined maximum" is? Or where do we set that up?
On the cat6k, the "predetermined maximum" or minimum is referring to the "ip flow-cache timeout ***" and "mls aging ***" global configs, for the router and switch portion respectively. The one with the 15 seconds default is "ip flow-cache timeout inactive". Your NetFlow reporting tool vendor often has specific values that they want you to set these parameters to, in order to work well with their particular product.
I got that 15seconds part. Perhaps I didn't state my question clearly. What is the predetermined maximum number of flows that when that number is reached, NDE will export those aged/expired flows to the Collector?
To my understanding when I read the manual, it means that if the maximum of flows is reached before the 15seconds time period is up, NDE will export the flows. Is this correct? If yes, I'm looking for that "predetermined" number.
I don't think any of the maximum or minimum on flow expiration/export can be based on "number" of flows:
"NetFlow uses four rules to decide when to remove a flow record from router memory and report it to the collection station: 1) when TCP flags (FIN or RST) indicate flow termination, 2) 15 seconds (configurable ``inactive timeout'') after seeing the last packet with a matching flow ID, 3) 30 minutes (configurable ``active timeout'')' after the record was created to avoid staleness and 4) when the memory is full. "
A NetFlow export packet is held on the router for up to one second pending the expiry of further flows which can be added to the same export packet. This helps to avoid lots of one-flow exports.
The export packet is transmitted once it's full, or one second after the first flow was written in, whichever comes first.
"predetermined maximum" means the export packet is full and cannot contain any more flows. As such, it's not something that can be directly configured by the user.
See "How and When Flow Statistics Are Exported" here:
I now understand the "predetermined" part, but the time intervals got me confused. I found 3 different numbers for this: 30 secs, 15secs, and now 1 sec. I don't remember where I found the 15secs from, but pretty sure it's from Cisco website. 30 seconds is in the "catalyst 6500 series switch cisco ios software configuration guide, release 12.2SX", chapter 52 Configuring NDE (52-7).
So, which one is the correct one? Or does it depend on the platform? It's not a big deal, but it's "mind bugging". In my opinion, either 15 or 30 secs makes more sense though. :) Thanks!
Remember that there are the active and inactive flow timeouts - flows are expired from the cache if they continue to be active for longer than the active timeout (to ensure the collector is aware of them), or if they're inactive for the inactive timeout (ie, no new packets arrived for the flow).
These times are configurable by the user on a per-cache basis.
The one second time applies after the first flow is written into a new export packet. The packet is held for up to one second pending the expiry of further flows.
Note that this delay has no effect on the data since each flow contains its own start and stop times.