[c-nsp] 7304 and netflow under heavy traffic load

[Laurent Geyer]

On 7/29/06, Rich Lemmerman <rich_lemmerman at yahoo.ca> wrote:
>
> Having an unusual netflow issue with the 7304 which we are planning to use
> as our edge router at a not-too-large data center.  When a specific
> destination address (but hundreds of ports) receives heavy traffic, the
> netflow records reduces considerably for that destination but stays steady
> overall.  However when the heavy traffic subsides, the really old netflow
> records associated with that destination show up tardily.  The effect is
> that one of the several real-time netflow analysis tool reports the heavy
> traffic after the traffic has subsided.


You're seeing the decrease because the timeout for active flows on the 7304
is 30 minutes. Inactive flows timeout after 15 seconds, so when the heavy
traffic subsides the expired flows finally get exported.


Is it the case that the 7304 is underpowered relative to netflow generation
> of this kind or is there a potential problem with the 7304 or its IOS or its
> config relative to netflow.


As long as you don't start playing with sampled flows you should be fine.

The global config command you're looking for to decrease the timeout of
active flows is `ip flow-cache timeout active <1-60 minutes>'.

We're using 1 minute on our 7304s and have yet to run into any issues.

- Laurent