Had a customer call in the other day with a NetFlow Billing question. Apparently his Cisco router is sending over 50,000 flows per second during peak hours. This is some serious high volume NetFlow. His fancy expensive NetFlow collector couldn’t handle the volume and so we were one of the vendors he turned to.
I asked if he had considered getting away from exporting all of the flows and tried exporting only counters per subnet.
We lead him to a Flexible NetFlow configuration (aka FnF) that solved his problems. With FnF, you can use source/destination prefix as a key field(match). To understand the following, watch this video on setting up Flexible NetFlow. Here is the FnF configuration we used:
Step 1:
flow record subnets
match ipv4 source prefix
match ipv4 destination prefix
collect counter bytes
collect counter packets
Step 2:
flow monitor subnets
description app traffic analysis
record subnets
exporter export-to-mikek (Step 2)
cache timeout active 60
Step 3:
int fa0/0
ip flow monitor subnets input
ip flow monitor subnets output
Within 60 seconds, the template came into Scrutinizer
The above reduced the flow volume down to a few hundred flows per minute. Most NetFlow collectors will drop all NetFlow that doesn’t contain certain fields:
Bytes
Packets
Src Interface
Dst Interface
Src Port
Dst Port
Src IP Address
Dst IP Address
Protocol
Scrutinizer NetFlow Analyzer is not limited to any fields. This is why we can collect and display things like NetFlow option templates containing interface names, NetFlow NBAR, exporter statistics, etc. Make the switch to Scrutinizer and stop over paying for NetFlow traffic analysis.
