Expanding on part 1 of the Configure NetFlow v9 for Cisco 4500 Sup7e blog, today I’ll be exploring what changes are needed to the Flexible NetFlow configuration if the data received by your NetFlow collector is understated.

As I was working with one of our Australian customers, the NetFlow data did not look right, specifically the bandwidth utilization was understated.  Vastly understated.

We reviewed the Flexible NetFlow configuration on the 4500 repeatedly and found nothing out of place or misconfigured.

Indeed, the FNF configuration was fine, but it didn’t account for the extremely high volume of flow data through this particular switch.  To the extent that the NetFlow cache entries table was overflowing.

 

Let’s look at the current Cache entries size:

[cisco4500]#show flow Monitor name Scrutinizer_Monitor cache format table
Cache type:                              Normal
Cache size:                                4096
Current entries:                              0
High Watermark:                            4096

Notice that the cache size set to 4096, and High Watermark at 4096?  Hmmmmmmm…. is the cache table filling?  After repeated views of the cache size, it was evident that the table was always at 4096, ie. always full.

So, either the cache entries were not clearing fast enough or the cache entries value was too low.

So he increased cache entries to 50000.  Still understated.

Then he decreased the inactive timeout to 5 seconds (from the default setting of 15 seconds):

flow monitor Scrutinizer_Monitor
record NETFLOW_V9
exporter Scrutinizer
cache timeout inactive 5
cache timeout active 60
cache entries 50000

And, aha!  That did it.  With a combination of increasing the cache entries size to 50000 and emptying the cache table every 5 seconds, the data reported by the Flexible NetFlow Analyzer now reported right on the money!

Another handy tip to remember if your Flexible NetFlow or even standard NetFlow is reporting understated.  Check the cache entries table.

Have you run into this issue on any of your devices? If so, let us know so that we can help you resolve it.

Joanne Ghidoni author pic

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.

Related

Leave a Reply