1 Reply Latest reply on Dec 12, 2017 10:49 AM by mesverrum

    Netflow - output changed

    lagcat

      Hi All

       

      I am not sure at what point in the updates this has happened but our netflow output from Cisco switches/routers has change from a smooth output to what looks like a 15/30min average on a interfaces

       

      for example a 2mb mpls like used to show a clear 40% usage with the breakdown on applications but not it shows in some 15min sections 6-20mb usage which is impossible for the interface/bandwidth ... also each 15minutes it seems to give a 0 reading

       

      I will attached pictures to explain as I think I am making no sense - it will show good and bad outputs so you can understand what I mean

       

      but it used to look good - if we had a 2mb site we would never see the traffic go about 80% due to QoS setting for EF

      now we are just seeing massive spikes rather than something that is helpful to work out usage between hours

       

      any suggestions? I can only put it down to an update as the netflow settings are not something we change and the routers for these are site managed and cost us for changes so we know nothing has changed

        • Re: Netflow - output changed
          mesverrum

          Most likely there is an issue with the netflow timout settings on your router.  For Cisco gear there are typically two values to keep an eye on, the active timeout and the inactive.  inactive is measured in seconds, active is in minutes, but in either case you want them sending data at least once a minute to keep the flow data smooth.  See this example config

           

          interface GigabitEthernet0/1

          description link to PIX

          ip address 10.3.1.2 255.255.255.252

          ip route-cache flow

          !

          ip flow-export source GigabitEthernet0/1

          ip flow-export version 5

          ip flow-export destination 1.2.0.12 2055

          ip flow-cache timeout active 1

          ip flow-cache timeout inactive 60

          snmp-server ifindex persist