nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Performance Issues / Feature Request

wtan2000

We have been long-time users of Orion, and have had Netflow running for 3 months. Unfortunately, the only way we've been able to get respectable performance is to throw hardware at it.

My feature request involves having more flexibility in the data consolidation engine so that we can keep the size of the database or indices down. As an example, I'd be ok with consolidating entries to the hour almost immediately, or aggregating IP addresses into /24s after a day, etc. Or maybe the database architecture can be made to be more efficient.

For those who are interested, we are monitoring about 15 T1 interfaces, have a 60 day retention, and are consolidating aggressively. Our database is about 150GB. Here are the SQL server specs that got us acceptable performance:

1xClovertown 1.67ghz quad core processor
8xSAS15K drives striped
16GB DDR2 ECC667 RAM
Windows R2 Enterprise, SQL 2005

That may sound over the top, but lesser servers haven't cut the mustard as evidenced by high disk queue times in Windows perfmon. It's all about the number of high-speed disk spindles you can dedicate to it.

Find more posts tagged with

Accepted answers

All comments

r0berth1

How are you setting up netflow for a T1 with out it bringing the utilization of the T1 to 90-100%? i have tried to monitor some our or locations accross T1s but it pegs out the utilization of the circuit.

cnorborg

Wow, we run Netflow on quite a few of our T1's with NetQoS and even in our doing testing with Orion NTA we've never had netflow be that much data. Were you monitoring a Layer-3 switch or switches across the link or something? Never heard that before!!

r0berth1

nope, just monitoring a data and voice vlan.

cnorborg

Wow, I'm at a loss, I know netflow data is higher bandwidth than SNMP at times depending on the flows, but that seems very excessive. We're talking like 1-3% on our T1 at the most...

How is your Netflow configured on the router, mostly interested in the commands with "flow" in them. ie: "show run | i flow"

r0berth1

The config looks like this:

interface Serial0/0/0.??? point-to-point
description **Circuit ID is ???**
ip address 0.0.0.0 255.255.255.252
ip flow ingress
ip flow egress
frame-relay interface-dlci ???
!
ip flow-export source Serial0/0/0.???
ip flow-export version 5
ip flow-export destination 0.0.0.0 2055
!

end

cnorborg

That looks pretty normal, I don't think you need the "ip flow egress" unless this is an MPLS network, can't tell from the config - looks like frame-relay. This is a network "stub", ie: no other networks beyond it, or more specifically, no other Netflow sources beyond it like Layer-3 switches?

I am assuming the 0.0.0.0 on both the interface and flow export destination are actually real IP addresses?

The 80-90% utilization, have you confirmed that its from this router to your server, not some other traffic that just happens to be on port 2055?

You've checked your IOS version vs. IOS bugs dealing with Netflow?

r0berth1

Yes, Most of my locations are MPLS with 1 2811 and a 2960. I have a few locations that have 1 2811, 1 2960G, and up to 3 2960s. I also have 5 branches that are metro-e but those have 3750s and netflow doesnt work on them.

yes, the 0.0.0.0 actually has real IPs in it. I always replace the IPs with 0 when posting to either cisco or here.

Yes, I have verified that the traffic is coming from the router and not some other source.

Yep, I have checked the IOS version against the IOS bug list and it doest show anything similar to my problem.

mcbridea

r0bert1,

Id like to know more about you netflow environment. I didn't see your email address in your profile. Are you willig to chat about this?

Andy

r0berth1

yep we can. There are some things that i can not say about the network as you can understand from a security standpoint but as away.