A NetFlow collector that can scan is important for many of our larger customers. Nearly 500 of our customers are collecting Cisco NetFlow and/or sFlow from over 100 devices. We understand that a NetFlow analyzer solution that can scale is important. I have three installations to tell you about.
I was working with a government customer last week. Check out the vitals on his Scrutinizer, which is receiving NetFlow from 440 routers with a combined 1736 interfaces. You might be surprise how often I see a huge volume of routers and a fairly light aggregate NetFlow volume. As you can see, Scrutinizer was chugging right along.
Below is a customer exporting from over 1700 routers to one copy of Scrutinizer. Notice the number of interfaces!:
Below is another customer with 40 routers and 360 interfaces using Scrutinizer v6.
Notice above that they are receiving over 20,000 flows per second. This is well over 1M flows per minute.
What to Watch For
Routers sending over 200 UDP NetFlow datagrams (about 6000 flows per second) create very large tables in the database. When these individual tables become too large it can lead to slower response times in the front end when reporting. This is why reporting on an edge router is fast and reporting on a core router can take a few extra seconds. Scrutinizer provides insight on this dilemma by breaking down flow volume:
- per collector
- per listening port (e.g. 2055)
- per router
We also pay attention to dropped flows in the same fashion. NetFlow reporting tools worth their salt should provide this information as well. I’ll blog about that later. For now, note the MFSN trend in the screen capture above.
I once saw a customer with only two catalyst switches and over 2000 interfaces with a single copy of Scrutinizer. Now that is getting your money’s worth from our unique licensing. Our Linux NetFlow Collector can handle over 90,000 flows per second which is why Scrutinizer scales for some of the largest networks in the world.