4 Replies Latest reply on Dec 24, 2014 1:41 PM by choly

    How can we interpret the statistics on Netflow correctly when using Steelhead  ( Please help!!)

    jackycheuk

      My network topology is like below

       

      user ----FW A----Riverbed Steelhead A----WAN router A =================WAN router B ---- Riverbed Steelhead B---- FW B---- Datacenter

       

      I am still very confused when using Steelhead how we can interpret the statistics on Netflow correctly.

       

      Below is the Netflow statistics of WAN router A and Riverbed Steelhead A, and we are seeing the WAN interface of both devices.

       

      Let's focus on port 445.  For the ingress(incoming) traffic , Router A is having 308.3MB, and Steelhead is having 156.3MB.

       

      1) I think the actual amount of traffic across the WAN network for port 445 is 308.3MB, correct?

       

      2) yet , why Steelhead is always showing a lesser value for ingress ?

       

      3) For in-path optimized traffic, it is using port 7800, so the rest services showing here are passing through traffic?

       

      4) I searched on the Internet, most of the people say when using Steelhead in your network, you can only have the correct Netflow data by monitoring Sttelhead.

      However, shouldn't we use Netflow data from the WAN router to see the bandwidth utilization of the WAN link ?

       

      Please kindly help, can't find the correct answer anywhere. Thanks in advance.

       

      Snap255.jpg

      Snap256.jpg

        • Re: How can we interpret the statistics on Netflow correctly when using Steelhead  ( Please help!!)
          jackycheuk

          Choly, I removed the "ip flow egress and now work". Thanks a lot.

           

          But i still have one more question,

           

          Before, I had the below configuration on my router A LAN interface.

           

          interface GigabitEthernet0/1

          ip address 10.x.x.x 255.255.x.x

          no ip redirects

          ip flow ingress

          ip flow egress

           

          And I added both LAN and WAN interface of router A onto Solarwinds.

           

          So , what if I keep the configuration, and removed the WAN interface of router A on Solarwinds, the duplicate flows issue would not happen , correct ?

           

          or it doesn't matter the WAN interface here or not, once you configure " ip flow egress" on the interface, duplicate flows issue would happen?

            • Re: How can we interpret the statistics on Netflow correctly when using Steelhead  ( Please help!!)
              donthomas

              When you monitor both interfaces, have only one command on all interfaces. If you are monitoring only one interface with SolarWinds NTA, you still have one command on all interfaces or use both commands only of the particular interface you are monitoring.

                • Re: How can we interpret the statistics on Netflow correctly when using Steelhead  ( Please help!!)
                  jackycheuk

                  Now, i have below configurations on my router WAN(gi0/0) and LAN(gi0/1) interface ,

                   

                  interface GigabitEthernet0/0

                  ip flow ingress

                  load-interval 30

                  duplex full

                  speed 100

                   

                  !

                  interface GigabitEthernet0/1

                  no ip redirects

                  ip flow ingress

                  load-interval 30

                  duplex auto

                  speed auto

                   

                  But why am i seeing different results for "Top 5 applications" and "Top 10 Endpoints" ?

                   

                  My link is only 1Mb.

                   

                  But for "Top 10 Endpoints", the graph can reach 2Mbps.

                   

                  Btw, which unit is using in the graph? KBPS of "BOTH, LAST 30 MINUTES, RATE (KBPS)"   or kbps on the y-axis?

                   

                  Thanks in advance!!

                  Snap275.jpg

                    • Re: How can we interpret the statistics on Netflow correctly when using Steelhead  ( Please help!!)
                      choly

                      As you can see on y-axis, the unit is kbps, Mbps, the title is just written in uppercase (UI designers ).

                       

                      The endpoints resource is showing 'double data' by design, we should create an article explaining it.

                      Basically:

                      Endpoints always appear to show double amount of data (rate, bytes transferred, percent utilization), because there are always 2 distinct endpoints in single flow. To show statistics for top endpoints NTA disregards from source and destination endpoint, treating them just as endpoints. This effectively doubles total amount of data.

                       

                      Example flows:

                       

                      SourceIPDestinationIPProtocolBytes
                      IP1IP2TCP50
                      IP2IP3TCP40

                       

                      Total bytes transferred by TCP protocol = 50+40 = 90 bytes (this works for other resources, too)

                       

                      However for endpoints are count in following way:

                      EndpointBytes transferred
                      IP150 bytes
                      IP250+40=90 bytes
                      IP340 bytes

                      So reported total bytes transferred by endpoints  = IP1 +IP2 +IP3 = 50+90+40 =180 bytes. This is double than other resources.