A NetFlow collector that can scan is important for many of our larger customers. Nearly 500 of our customers are collecting Cisco NetFlow and/or sFlow from over 100 devices. We understand that a NetFlow analyzer solution that can scale is important.  I have three installations to tell you about.

Scrutinizer Scales
I was working with a government customer last week. Check out the vitals on his Scrutinizer, which is receiving NetFlow from 440 routers with a combined 1736 interfaces. You might be surprise how often I see a huge volume of routers and a fairly light aggregate NetFlow volume. As you can see, Scrutinizer was chugging right along.

volume of netflow being collected

Below is a customer exporting from over 1700 routers to one copy of Scrutinizer.  Notice the number of interfaces!:

Scalable NetFlow Solution

Below is another customer with 40 routers and 360 interfaces using Scrutinizer v6.

vitalsScale

Notice above that they are receiving over 20,000 flows per second.  This is well over 1M flows per minute.

What to Watch For
Routers sending over 200 UDP NetFlow datagrams (about 6000 flows per second) create very large tables in the database. When these individual tables become too large it can lead to slower response times in the front end when reporting. This is why reporting on an edge router is fast and reporting on a core router can take a few extra seconds. Scrutinizer provides insight on this dilemma by breaking down flow volume:

  • per collector
  • per listening port (e.g. 2055)
  • per router

We also pay attention to dropped flows in the same fashion. NetFlow reporting tools worth their salt should provide this information as well. I’ll blog about that later. For now, note the MFSN trend in the screen capture above.

Summary
I once saw a customer with only two catalyst switches and over 2000 interfaces with a single copy of Scrutinizer. Now that is getting your money’s worth from our unique licensing. Our Linux NetFlow Collector can handle over 90,000 flows per second which is why Scrutinizer scales for some of the largest networks in the world.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply