Yes Tyson, it is a question. I want to know, how is the record created in the case of aggregation.
Aggregation is similar feature like the alarm summarization of IPS. It summarizes from the main cache. http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html As per the link, if you see the diagram, the flow is expired twice. After the flow is expired from the main cache, the flow entries are put into the aggregation cache and then the aggregation record is exported after another expiration that you can configure specific to the aggregation as following: router(config)#ip flow-aggregation cache prefix router(config-flow-cache)#cache timeout ? active Specify the active flow timeout inactive Specify the inactive flow timeout My question, how can there be an expiration time for the aggregration cache. The aggragration cache has the summarized flow entry from the main cache after it has been expired cache. How does the main cache timeout and aggregation cache timeout work in the case of aggregation? What is the process for the flow entry to come to aggregation cache and then exported? With regards Kings On Mon, Jul 12, 2010 at 7:39 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > Is this a question? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, July 12, 2010 7:55 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Netflow aggregration > > > > Hi all > > A flow record is created, when a flow expires. The following are conditions > for expiration of a flow: > > •Flows which have been idle for a specified time are expired and removed > from the cache > > •Long lived flows are expired and removed from the cache (flows are not > allowed to live more than 30 minutes by default, the underlying packet > conversation remains undisturbed) > > •As the cache becomes full a number of heuristics are applied to > aggressively age groups of flows simultaneously > > •TCP connections which have reached the end of byte stream (FIN) or which > have been reset (RST) will be expired. > > > Version 9 supports aggregation. The flow record creating in ver 9 is bit > different. > > As per this link, after the expiration of the flow, it is moved to > corresponding aggregate cache. Again after timeout in the aggregation cache > only, a flow record is created. I don't get it, how can > the flow timeout in the aggregation cache which has already been timed out > in the main cache. > > router(config)#ip flow-aggregation cache prefix > router(config-flow-cache)#cache timeout ? > active Specify the active flow timeout > inactive Specify the inactive flow timeout > > > http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html > > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
