There are two possible sources for the discrepancy between the interface statistics and those reported by the Netflow collectors.
1) The Matrix N-Series will not report Broadcast, Multicast, and Unknown Unicast statistics in Netflow Records. Keep in mind that the prevalent record formats report both source and destination interfaces, the destination interface is unavailable in the case of Broadcast, Multicast and Unknown Unicast (as it spans many interfaces). 2) It is possible that the rate of record generation exceeds the device's ability to deliver them: this is reported in the following CLI output: show netflow statistics Export Statistics: ------------------------------------ Network Packets Sampled: 0 Exported Packets: 0 Exported Records: 0 Export Packets Failed: 0 Export Records Dropped: 0 In our experience, the likely cause would be the first case (a high incidence of Broadcast, Multicast or Unknown Unicast on those links). In the case described below, 5-10% discrepancy seems reasonable, the 40-50% discrepancy bears investigation into the source (possible misconfiguration or abnormal traffic patterns). Regards, Dave Kjendal Enterasys Networks -----Original Message----- From: Huber Adrian TRAIL [mailto:[email protected]] Sent: Friday, March 06, 2009 3:19 PM To: Enterasys Customer Mailing List Subject: RE: [enterasys] Matrix N Series Netflow Numbers not matching snmp totals problem Just a thought; Netflow only records traffic if it is from one IP network going to another, so what if some of the traffic that your SNMP is recording is only broadcasts, or is not destined to a network defined on that router?? I too am curious to know why this is occurring to you. -----Original Message----- From: marc slice [mailto:[email protected]] Sent: Friday, March 06, 2009 11:34 AM To: Enterasys Customer Mailing List Subject: Re: [enterasys] Matrix N Series Netflow Numbers not matching snmp totals problem I have been looking into this solution as an interim to solving the problem. Anyone have any insight as to what could be causing this problem or what to look for. Won't be able to call in for support for a week or 2. ----- Original Message ---- From: Huber Adrian TRAIL <[email protected]> To: Enterasys Customer Mailing List <[email protected]> Sent: Thursday, March 5, 2009 3:11:39 PM Subject: RE: [enterasys] Matrix N Series Netflow Numbers not matching snmp totals problem I noticed this once with an SSR-8 before. I decided to use fprobe (software) with a linux based server and attached it to the router on a mirrored port. The fprobe had to have minimal configuration so it knows what traffic is internal/external. It then emitted the Netflow packets just as any router would to our collector (flow-tools). This doesn't answer your question, but it is a workaround that I used, and still use today. -----Original Message----- From: marc slice [mailto:[email protected]] Sent: Thursday, March 05, 2009 10:38 AM To: Enterasys Customer Mailing List Subject: [enterasys] Matrix N Series Netflow Numbers not matching snmp totals problem On a Matrix N series we currently have netflow turned on for the ports to our ISP ports (ge.1.29 and ge.1.30) and our public vlan ports (ge.1.2,ge.1.11,ge.1.17). Our current reading of the bytes per second through snmp on our switch is equal to our isp's numbers yet each and every netflow collector we have tried is reporting less. Mainly our inbound numbers are off by 40-50% yet the outbound is only 5-10% off on ge.1.29-30. Also we have tried using both Netflow v5 and v9 and used collectors on different servers directly plugged into the matrix switch. We have tried flow-tools, ntop, scrutinizer, solarwinds orion NPM with NTA and one or 2 others but all report the same difference. Running the latest firmware. Anyone have any insight or have the same problem? We need to account for the traffic by IP and were relying heavily on this working. --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
