• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 24 subscribers
  • Views 686 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Net flow reciever or my switch?

Wlacroix

Hello team, I have a wierd issue.

We run HP switches and I have been removing any ports not monitored or no longer need to be monitored right across the board of 80+ switches.

So, on my core switch (HP5412zl version1), I removed sflow fully and disabled it. I re-enabled it, thus clearing all of the sflow information inside the switch. I double checked the (sho run) to make sure that the data was gone.

I did a write memory to commit this change.

I re-added all of the interfaces that we need to monitor, re-setup sampling and polling accordingly.

For the last week, I have been troubleshooting the unmonitored netflow interfaces in my events on the solar wind side. I still have interfaces showing up here that are 100% not sending traffic, according to my switch, they were however monitored in the past.


My only thought would be to delete the node from solar winds fully and re build that side of things.


I also have no clue why solar winds would see this data, unless the switch was actually sending it. Its not regular like sflow is normally, and its not at a specific time.

Here is a screen shot.

sflow.JPG

Any advice would be great.


Regards,
Wally

Parents
  • 0

    The message, that its receiving flow data from an unmanaged interface, isn't really accurate since the interface doesn't actually send the Netflow packets.  Its receiving it from the box that has the interface on it.   This is kind of important in that a Netflow packet has lots of information in it, including the source and destination interfaces that it is using to transit the box.   Usually folks do ingress netflow, but you can do egress or both depending on the configuration.   So, if you're doing ingress Netflow, the packet would be generated on the interface its entering the box, but not the interface its exiting the box through, but that packet should still contain both interfaces in it.   If you do both ingress and egress, you should get a packet from both interfaces also.

    Getting back to your issue.   Let's say your monitoring Gi0/0 for ingress packets, but not monitoring any other interfaces including Gi0/1.   If a packet comes in on Gi0/0 that is destined to go out Gi0/1, the netflow packet should still have both interfaces in it.    I could see Orion complaining that the interface it has as an egress interface isn't being monitored?   Not sure though.   My practice is to monitor all interfaces for ingress traffic no matter what.   That way I see all traffic transiting the box.

    So, in other words, just because Netflow isn't configured on an interface, doesn't mean that it doesn't show up in Netflow packets from a box.

    Hopefully I'm not too off base here!   Just making a guess based on what I'm seeing...

  • 0 in reply to cnorborg

    Sorry Craig I'm having a little trouble following your post.

    in most cases we never specify in or out, its both by default I thought.

    We monitor an interface with the following HP commands:

    sflow 1 polling 24 60

    sflow 1 sampling 24 4096

    In the example above I am polling port 24 every 60 seconds, and I am sampling on port 24 every 4096th packet. We never specify in\out\both

    Here is my current list on my core.

    SFlow Sampling Information

            | Sampling                    Dropped | Polling

      Port  | Enabled      Rate Header    Samples | Enabled Interval

      ----- + -------  -------- ------ ---------- + ------- --------

      B1      Yes(1)       4096    128          0   Yes(1)        60

      B12     Yes(1)       4096    128          0   Yes(1)        60

      B14     Yes(1)       4096    128          0   Yes(1)        60

      B15     Yes(1)       4096    128          0   Yes(1)        60

      B19     Yes(1)       4096    128          0   Yes(1)        60

      C17     Yes(1)       4096    128          0   Yes(1)        60

      G22     Yes(1)       4096    128          0   Yes(1)        60

      K1      Yes(1)       4096    128       2522   Yes(1)        60

      Trk1    Yes(1)       4096    128          0   Yes(1)        60

      Trk2    Yes(1)       4096    128          0   Yes(1)        60

      Trk5    Yes(1)       4096    128       2627   Yes(1)        60

      Trk6    Yes(1)       4096    128          0   Yes(1)        60

    As you can see F8, C20, F24, C7, H17, A5, H23, and A3 are not in my list at all what so ever.

    I took a quick look a the commands themselves on the switch and there is not an option to only poll or sample inbound\outbound\both. I also don't see anything in solar winds to select inbound\outbound\both

    So i don't understand where solar winds is getting said data from?

    Regards,
    Wally

Reply
  • 0 in reply to cnorborg

    Sorry Craig I'm having a little trouble following your post.

    in most cases we never specify in or out, its both by default I thought.

    We monitor an interface with the following HP commands:

    sflow 1 polling 24 60

    sflow 1 sampling 24 4096

    In the example above I am polling port 24 every 60 seconds, and I am sampling on port 24 every 4096th packet. We never specify in\out\both

    Here is my current list on my core.

    SFlow Sampling Information

            | Sampling                    Dropped | Polling

      Port  | Enabled      Rate Header    Samples | Enabled Interval

      ----- + -------  -------- ------ ---------- + ------- --------

      B1      Yes(1)       4096    128          0   Yes(1)        60

      B12     Yes(1)       4096    128          0   Yes(1)        60

      B14     Yes(1)       4096    128          0   Yes(1)        60

      B15     Yes(1)       4096    128          0   Yes(1)        60

      B19     Yes(1)       4096    128          0   Yes(1)        60

      C17     Yes(1)       4096    128          0   Yes(1)        60

      G22     Yes(1)       4096    128          0   Yes(1)        60

      K1      Yes(1)       4096    128       2522   Yes(1)        60

      Trk1    Yes(1)       4096    128          0   Yes(1)        60

      Trk2    Yes(1)       4096    128          0   Yes(1)        60

      Trk5    Yes(1)       4096    128       2627   Yes(1)        60

      Trk6    Yes(1)       4096    128          0   Yes(1)        60

    As you can see F8, C20, F24, C7, H17, A5, H23, and A3 are not in my list at all what so ever.

    I took a quick look a the commands themselves on the switch and there is not an option to only poll or sample inbound\outbound\both. I also don't see anything in solar winds to select inbound\outbound\both

    So i don't understand where solar winds is getting said data from?

    Regards,
    Wally

Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.