With flow monitoring becoming a practical solution for traffic analysis, numerous vendors have created their own version of flow export for their devices. Regardless of whether you are working with NetFlow, sFlow, Netstream, or jFlow; each device’s exportation method is similar.
Consider the command: ip flow-cache timeout active 1
I wanted to cover this command that is native to Cisco devices using NetFlow, simply because everyone forgets to use it. But before I rave about how important it is, just remember that this configuration can be found in various forms, across multiple vendors. Here’s a brief list:
NetFlow (routers): ip flow-cache timeout active 1
NetFlow (Catalyst switches): mls aging long 64
sFlow: polling interval 60
Netstream: ip netstream timeout active 1
J-Flow: ip flow-cache timeout active 1
The above listed examples each regulate the export of flows for their respective devices. You’ll notice how most of the ones listed all specify either 1 minute or 60 seconds. This is no accident…
With this configuration, you are specifying the device to export flow records every minute. This is important to set up, since Scrutinizer calculates utilization based on what it receives at 1 minute intervals.
If you forget to configure this, then your Cisco device, by default, will try to export flows every 30 minutes or until the flow cache becomes full, which will then bombard your collector with flows. This could really skew your interface utilization.
One nice feature we’ve included in our NetFlow analyzer is an LED, which tracks the export patterns of your devices. If you notice that the LED to the far right is blinking yellow, then there is a device that is exporting flow infrequently.
To find out which device is not exporting regularly, just click on the blinking LED. If you are 100% positive that you’ve configured your active timeouts for the device, but yet it is still posting, it is possible that there are interfaces on that device that aren’t producing enough traffic to export records every minute. Please be sure to take a look though.