Over 440 NetFlow exporting routers
Posted in NetFlow, NetFlow Analyzer, Network Traffic Analysis on November 25th, 2009 by mike@plixer.com
A NetFlow collector that can scan is important for many of our larger customers. Nearly 500 of our customers are collecting Cisco NetFlow and/or sFlow from over 100 devices. We understand that a NetFlow analyzer solution that can scale is important.
Scrutinizer Scales
I was working with a government customer last week. Check out the vitals on his Scrutinizer, which is receiving NetFlow from 440 routers with a combined 1736 interfaces. You might be surprise how often I see a huge volume of routers and a fairly light aggregate NetFlow volume. As you can see, Scrutinizer was chugging right along.
Here is another customer with 40 routers and 360 interfaces using Scrutinizer v6.
Notice above that they are receiving over 20,000 flows per second. This is well over 1M flows per minute.
What to Watch For
Routers sending over 200 UDP NetFlow datagrams (about 6000 flows per second) create very large tables in the database. When these individual tables become too large it can lead to slower response times in the front end when reporting. This is why reporting on an edge router is fast and reporting on a core router can take a few extra seconds. Scrutinizer provides insight on this dilemma by breaking down flow volume:
- per collector
- per listening port (e.g. 2055)
- per router
We also pay attention to dropped flows in the same fashion. NetFlow reporting tools worth their salt should provide this information as well. I’ll blog about that later. For now, note the MFSN trend in the screen capture above.
Summary
I once saw a customer with only two catalyst switches and over 2000 interfaces with a single copy of Scrutinizer. Now that is getting your money’s worth from our unique licensing. Scrutinizer scales for some of the largest networks in the world.
Scrutinizer Product Manager
Follow Me on Twitter
