Re: [Cflowd] Aggregated flows

From: Edwin D. Viņas (edwinv@asti.dost.gov.ph)
Date: Wed Apr 10 2002 - 20:31:24 PDT

  • Next message: Martin van den Nieuwelaar: "[Cflowd] bbnfc debugging tool - useful for use with cflowd etc."

    dst IP only Multicast
    Hi guys!

    Im currently working with netflow and i was able to graph and database the flows. But, one concern we're facing
    is the bandwidth consumption of the netflow exporting. We are planning to aggregate flows in the router to
    reduce the data. This we think will reduce the bandwidth consumption of flow-exporting.

    Can somebody advise me on which is better, non-aggregated netflow or netflow with aggregation? Is it difficult to
    analyze the aggregated flows? How granular is it?

    Thanks,
    Edwin

      ----- Original Message -----
      From: Pranav Shah
      To: 'cflowd@caida.org'
      Sent: Saturday, March 23, 2002 5:54 AM
      Subject: RE: [Cflowd] dst IP only Multicast

      Hey Marcus..
       
      I have removed the flow-export aggregation however, I still see the same thing. One thing I did notice was that in my flow directory, there are two flow files being generated and being updated. One is x.x.x.x.flows.[0-9] (x.x.x.x is the router sending the flows) and the second is the normal flows.* files.
       
      Using flowdumper to see the contents of x.x.x.x.flows.* gives me the src and the dst IPs correctly. however, doing flowdumper on flows.* directory gives me all multicast addresses in my destination IP. I have read through all the Cisco doc. on Netflow but it seems all if properly configured. I cannot figure it out.
       
      Pranav
       
        -----Original Message-----
        From: Marcus Beaman [mailto:marcus.beaman@state.or.us]
        Sent: Thursday, March 21, 2002 3:45 PM
        To: Pranav Shah
        Subject: RE: [Cflowd] dst IP only Multicast

        I'm not sure that you need the "ip flow-aggregation cache as" line, as that looks like it aggregates only the followin information:
        The aggregated NetFlow data export records report the following:

          a.. Source and destination BGP autonomous system

          b.. Number of packets

          c.. Number of flows summarized by the aggregated record

          d.. Number of bytes summarized by the aggregated record

          e.. Output and input interfaces

          f.. Timestamp when the first packet is switched and timestamp when the last packet is switched
        You might try removing the line (my configs are like that), which will increase your flow file sizes but gives you all flow information. In addition, since netflows only tally data on an interfaces input traffic, you need the "ip route-cache flow" statement on all interested interfaces. Since I want to see inbound/outbound traffic to the Internet, I put "ip route-cache flow" on my ISP interface (inbound stats from the Internet = inbound traffic) and on my network interface (inbound from my network to internet = outbound traffic). If you still want to aggregate (does is work with version 5? I know it does with 8), you might tray the "ip flow-aggregation cache protocol-port" since this includes src/dst IP's (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/netflow.htm#80372)
         
        Make sure you have the requirements also for aggregating also:
        You must take these prerequisties into consideration before configuring the NetFlow Aggregation feature:

          a.. Ensure that the following functionality is configured on your system before you configure an aggregation cache:

            a.. IP routing

            For information on IP routing configuration, refer to the Cisco IOS Release 12.0 Network Protocols Configurtion Guide, Part 1.

            a.. Cisco Express Forwarding (CEF)

            For information on CEF configuration, refer to the Cisco IOS Release 12.0 Switching Services Configuration Guide.

            a.. NetFlow switching

            For information on NetFlow configuration, refer to the Cisco IOS Release 12.0 Switching Services Configuration Guide and the

          b.. If you intend to use a version 8 aggregation cache, configure a version 5 main cache.

          c.. If you need autonomous system information from the aggregation, make sure to specify the <peer-as | origin-as> options in your export command if you have not configured an export version.
        Good Luck,
         
        -Marcus

    _______________________________________________
    Cflowd mailing list
    Cflowd@caida.org
    http://login.caida.org/mailman/listinfo/cflowd



    This archive was generated by hypermail 2.1.4 : Tue Apr 23 2002 - 15:46:15 PDT