This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Double traffic

Hello everyone,

I've been troubleshooting on my configuration for a while now, simply because some of the traffic reports seems to be inaccurate. So here is my scenarion, we have about 11 different datacenters and I use Orion NTA to analyze WAN traffic over the 11 different routers. For the time being, I'm exporting netflow from both the virtual inside interface and outside interface (and I'm exporting both ingress and egress)

As a test, I tried to generate a 1GB test file and fetch it from one location to another. When I search for the server I fetched to on "Search by Endpoint", the total traffic transfered within the time period I transfered my 1GB file shows the double (in this example 2GB) Why would it think I transfered the double of what I actually did? Can it be related with the fact that I'm polling traffic off both the "inside" and "outside" interface of the router?

Personally I thought it would "summarize" the traffic if it sees the traffic on two interfaces at the same time, but maybe thats not the issue?

 

Can someone please help me out?

 

-Vidar

  • I agree with you and I think it is because you are seeing it cross the inside and the outside.  Generally you only need netflow on your outermost interfaces.  For example on all my routers its on for the WAN circuit but off for the ethernet ports.

  • De-duplication on a NetFlow collector is a tricky thing so we show you all the flow data you collect. Because NetFlow allows you to apply ingress and egress on all interfaces there is good opportunity to over-collect. Are you collecting flow information for accounting or for traffic analysis?

    Also look for a paper I'm putting out very soon on NetFlow Basics and Deployment Strategies.  

  • That makes sense, mcbridea. I am likely overcollecting on my routers, considering I'm exporting from both the "inside" and "outside" interface. At the moment with our setup, I don't really see a strategy to avoid seeing the traffic twice (or more)

    Lets say I have a user in CityA, fetching something from CityC, and the traffic is traversing through my router in CityB. Would that give me 3 x the "real" traffic because I'm pulling netflow data off the WAN interface on my CityA, CityB and CityC routers? (and it sees the same traffic traversing through 3 different routers/flows)

    In our scenario, a miscalculation of 2GB where it should be 1GB is not really an issue. It becomes an issue when 600GB is supposed to be 300GB, if you catch my drift :)

    I am merely using Solarwinds NTA for traffic analysis, and not for accounting purposes. Looking forward to hear from you again if you have any tips to improve my setup :)

    Thanks alot for your help!

     

    -Vidar

  • Hi Vidar,

    Normally what I need to see in NTA is the cause of congestion which tends to hurt WAN links due to bandwidth restrictions and the aggregation of several LAN ports into one WAN port. LAN bandwidth has increased so much in the past few years that it is hard to saturate a LAN link.

    If these are two port LAN to WAN routers I definitely recommend against exporting flows from the LAN interface. If all traffic going into the router has to exit the other port you'll catch it all with just the WAN exporter. You will miss the traffic that bounces off the LAN interface but NetFlow can't see that anyway as bounce traffic happens in the forwarding plane and NetFlow works in the control plane.

    Andy

  • Two noteable control plane exceptions are 7600's and 6500's which implement NetFlow in ASIC but use control CPU to a lesser extent.