[j-nsp] Netflow data exporting ability on M160

Joe Shen sj_hznm at yahoo.com.cn
Tue Nov 30 02:08:16 EST 2004 

Hi,


> Are you sure you are sampling the correct
> packets/interfaces? How are you 
> doing your sampling now? Firewall rule with "then
> sample"? What are your 
> actual netflow sampling settings (rate/run-length)?

That's what I'm not sure. 

I just do the following configuration:

forwarding-options {
    sampling {
        input {
            family inet {
                rate 500;
            }
        }
        output {
            cflowd 202.101.172.20 {
                port 2055;
                version 5;
            }
        }
    }
}

firewall {
    filter netflow-sj {
        term all {
            then {
                count sj;
                sample;
                accept;
            }
        }
    }
}

Then I applied filter netflow-sj to three POS
interfaces:


interfaces {
   so-1/3/0 {      
        description edge->core_m160-3-1;
        unit 0 {    
            family inet {
                filter {
                    input netflow-sj;
                    output netflow-sj;
                }   
                address 10.10.10.154/30;
            }       
        }           
    }               
    so-3/1/0 {      
        description edge->core-2.5G-POS;
        unit 0 {    
            family inet {
                filter {
                    input netflow-sj;
                    output netflow-sj;
                }   
                address 10.10.11.66/30;
            }       
        }           
    }               

    so-6/0/0 {
        description "edge->core 2.5G POS";
        unit 0 {
            family inet {
                filter {
                    input netflow-sj;
                    output netflow-sj;
                }
                address 10.10.117.110/30;
            }
        }
    }

==================

To my understanding,  M160 should sample each
interface with rate 1:500, that is, overall sample
rate is 3:1500. When I use flowscan to calculate
interface load, the sample rate should be set to 500.

But, when doing this in flowscan configuration the
total bandwidth showed is around 2.2Gbps while the
real bandwidth estimated  should be around 7Gbps. If
and only if I configure sample rate to 1500, the
result calculated is to the real bandwidth. 

Doing with another M160 which has only one POS
interface sampled, the result is correct to interface
statistics.

In order to verify whether there is problem with M160
internal capacity, I changed sample rate to 1500 in
forward-option while changing sample rate in CUFlow.cf
to 1500, but the sample problem comes up ( calculated
BW is about 1/3 of real load). 

Now comes the question:  how does M160 sample
interface traffic and generate Cflowd output? Is it
generate cflowd output by aggregating sampled packets
on all interfaces or generate cflowd output on each
interface? 

Regards

Joe

 



_________________________________________________________
Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ
http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/

More information about the juniper-nsp mailing list