-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Reinier
- --On December 20, 2007 11:24:00 PM +0100 Reinier Hamstra <[EMAIL PROTECTED]>
wrote:
| All,
|
| It seems I have made a rather stupid mistake in understanding how Netflow
| for the 7600/65k works. On these platforms
| Traffic can be forwarded in one of two ways, either by the MSFC ("software")
| or by the PFC ("hardware").
| Netflow can be configured for both of these elements in the router. Only
| flows that cannot be switched by the PFC
| for some reason are switched by the MSFC.
|
| Netflow for the MSFC is configured by adding the regular <ip flow ingress>
| and <ip cache-flow> commands to the interface
| to be monitored.
|
| Netflow for the PFC is configured by adding <mls nde sender version x> and
| <mls flow ip full | etc> under global config mode.
|
| I thought both configurations were necessary to allow netflow collection for
| the single interface I was testing with.....this
| is not the case. Having configured both, the MSFC was indeed collecting
| accurate netflow data for my test port through
| the MSFC configuration, but, it was also collecting netflow data for the
| ENTIRE router through the MLS cache
| which works with the PFC! Hence I was looking at 6 gigabits of traffic,
| which is the actual total amount of data being
| PFC switched through the system!
Although I'm not a CISCO guru I assumed something like that. Before I could
verify
that, it seems as you got it. Anyway thanks for the details on this issue.
- Peter
|
| Checked the measurements against SNMP and I am glad to see NFSen is spot on!
| Next stop: using masks :-)
|
| Cheers,
| Reinier
|
| --------------------------------------------------
| From: "Reinier Hamstra" <[EMAIL PROTECTED]>
| Sent: Thursday, December 20, 2007 8:05 AM
| To: <[email protected]>
| Subject: Re: [Nfsen-discuss] NFSen graphs displaying highly
| inaccuratetraffic volumes
|
| > Using the following configuration:
| >
| > mls aging long 64
| > mls aging fast threshold 128 time 128
| > mls aging normal 300
| > mls flow ip full
| > no mls flow ipv6
| > mls nde sender version 5
| > ip flow-cache entries 131072
| > mls netflow usage notify 95 3000
| >
| > All configurations are done under the <mls> configuration section because
| > the 7600/65k uses timers configured for the mls cache instead of the
| > netflow
| > cache directly. Configuration choices are explained below.
| >
| > mls aging long 64 - this setting provides the least irratic graphs. Long
| > aging provides aging against timer-wraparound issues that can cause
| > inaccurate
| > results.
| >
| > mls aging fast threshold 128 time 128 set to the maximum allowed
| > parameters for Time and Packet count. I have not yet had the chance to
| > tweak
| > these
| > parameters. Fast aging eliminates very short duration flows that switch
| > few
| > packets.
| >
| > mls aging normal 300 set to equal the
| > default
| > netflow export time as advised by I believe Peter Haag.
| >
| > mls flow ip full - using a Full
| > flow mask
| >
| > ip flow-cache entries 131072 - mls cache size has been set
| > to
| > maximum size for PFC3BXL
| >
| > mls netflow usage notify 95 3000 collecting netflow cache
| > utilization
| >
| > Additional notes:
| > - No sampling configured. I need the full flows to be dependable and
| > accurate before I will trust/implement sampled information
| > - Netflow table utilization is often at 99%.
| > - <show ip cache flow> command output shows many inactive entries. I
| > have
| > tried to solve this through aggressive aging through adjusting Fast aging
| > to minimum parameter value. This causes a huge amount of Flows/sec to
| > be
| > registered, accompanied by ofcourse a large amount of extra netflow
| > export traffic.
| >
| >
| >
| >
| >
| > --------------------------------------------------
| > From: "hjan" <[EMAIL PROTECTED]>
| > Sent: Wednesday, December 19, 2007 4:38 PM
| > To: "Reinier Hamstra" <[EMAIL PROTECTED]>
| > Subject: Re: [Nfsen-discuss] NFSen graphs displaying highly inaccurate
| > traffic volumes
| >
| >>
| >>
| >> Reinier Hamstra ha scritto:
| >>> Hi guys,
| >>>
| >>> I am currently test-monitoring a single 1gbit/s edge port on a 7600
| >>> peering router. Flow export, collection and presentation are all
| >>> functioning. The problem is that NFSen is graphing traffic volumes of
| >>> several Gbits/s in the default Live profile. No other profiles are
| >>> configured. Peak volume confirmed by CLI and SNMP is max 450Mbit/s. Any
| >>> ideas why I am not seeing accurate Traffic volumes? Any help would be
| >>> greatly appreciated!
| >>
| >>
| >> Netflow on 7600 could be a pain the ass.
| >> Could you post your 7600 netflow configuration ?
| >>
| >> Regards,
| >> Gianluca
| >>
| >
| > -------------------------------------------------------------------------
| > SF.Net email is sponsored by:
| > Check out the new SourceForge.net Marketplace.
| > It's the best place to buy or sell services
| > for just about anything Open Source.
| > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
| > _______________________________________________
| > Nfsen-discuss mailing list
| > [email protected]
| > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
| >
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Microsoft
| Defy all challenges. Microsoft(R) Visual Studio 2005.
| http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBR2t8R/5AbZRALNr/AQK7/QP/W6Hi8iQzsRwE9Bf2cYcCEUdkEZokZOgw
UqSv3Cc6DodlIXjWuLyaCjxynHNJdfRAfGkOCp8iCrwc+qFE2UG3VPK6LVOqeNa0
8YlZA4ATiJOVmK1z3jxtkRyPYCSfZjOA45YEJBUQvinGfQO95bYTef4NNFapI8lR
cQ1vtq2yC2A=
=8rmm
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
