[c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls

Adam Powers apowers at lancope.com
Tue May 20 14:46:47 EDT 2008 

You are correct. The exporter will unnaturally expire the cache entry and
start a new one when the octet counter overflows.

YMMV from one Netflow cache implementation to another.

BTW: For systems that use ³sort | uniq² approach for Netflow deduplication
this effect would mess things up. Setting lower active timers (I recommend
60 seconds) would help.
 


On 5/20/08 2:27 PM, "Peter Rathlev" <peter at rathlev.dk> wrote:

> Hi Chris,
> 
> On Tue, 2008-05-20 at 14:03 -0400, Chris Riling wrote:
>> > I know this has been asked thousands of times before, but I don't think
>> > anyone has ever answered it in quite the same fasion. I'm thinking
>> >  about turning on netflow on my border routers (7606's with Sup32's /
>> >  full routes);
> 
> Impressive. I didn't think Sup32 could do full routes any longer. :-)
> 
>> > Think I'll see any issues from turning on the exports?
> 
> It shouldn't have any impact on the hardware forwarding of the box, but
> the export uses some CPU on the MSFC. On our Sup720s the CPU spends most
> of its time around 0-1%, exporting on average ~400 flows per second.
> They're not really doing much else with the CPU though, no full tables
> or anything. The Sup32 may be stressed a little more, and it all depends
> on how many flows you export.
> 
> You also need to think about the TCAM, there's a limit on how many flows
> you can store at once, maybe forcing you to use aggressive aging timers.
> 
> AFAIK no Netflow configuration should have any impact on the forwarding
> performance of the box, but I may be very wrong. ;-)
> 
>> > Also, specifically, we're looking to see the ability to generate
>> >  reports for say, a /22, and the amount of transfer for each host in
>> >  the /22 that has entered / exited our network at the border (MRTG on
>> >  the switchports isn't going to cut it). I've heard that a lot of
>> >  people use ntop for this sort of thing, but in the demo I wasn't able
>> >  to find anything that did exactly this, and I wanted to consult the
>> >  list before turning on Netflow at the border routers anyway. I've also
>> >  heard of people using stager for the report generation; can stager do
>> >  the same sort of thing?
> 
> We're using nfdump/NFSen and it can do all kinds of sweet things
> regarding aggregation. We're not using it for billing though, just for
> base lining and such.
> 
> This reminds me: All the flows we receive max out at ~2.1GB. I'd like to
> assume that this is because the switches automatically ages flows before
> they reach the 32-bit limit (or 31-bit?); can anyone confirm this?
> 
> Regards,
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 

Adam  Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam at lancope.com

More information about the cisco-nsp mailing list