Re: [Flow-tools] Strange Router Export Issue

Fri, 20 May 2005 12:10:18 -0700

Title: Re: [Flow-tools] Strange Router Export Issue
BTW: Be aware that if Null0 routed packets will actually generate TWO NetFlow records if you’re not careful. On some platforms, packets sent to Null0 will generate an ICMP Host/Net Unreachable. The returning ICMP message will generate yet another NetFlow record. Make sure you do a “no ip unreachables” for the Null0 interface to turn off unreachables.

While we’re at it, might as well mention that inbound ACL entries will also cause a NetFlow entry. So creating an ACL won’t take the NetFlow export rate down very much (if at all).

I’m not sure what uRPF does to NetFlow. Haven’t tried it. I suspect it will create an entry to Null though much as an ACL would.

I wouldn’t say that increasing the flow cache is “highly not recommended”. It depends on 1) memory and 2) CPU. Increasing the cache will increase CPU as more work has to be done to analyze the cache for aged entries. On the other hand, increasing the cache will/should cause less numbers of NetFlow exports which should decrease the amount of CPU being consumed by the actual process of placing the records in a PDU and sending them.



On 5/20/05 1:53 PM, "Carlos Eduardo Vianna - SouthTech Datacenter" <[EMAIL PROTECTED]> wrote:

Hello.
 
Im experiencing the very same issue, an an similar architecture.
 
Its an CISCO 7206 with 5 x E1  + 1 FastEthernet INTERNET links, and 4 Ethernet + 1 FastEthernet internal connection.
 
I can see some sort of DDOS on the show ip cache flow output. The router almost goes down then the problem occurs, 100% cpu, very slow operation. After adding a route to NULL0 for the destiation Ip fo the packets, the router goes back to normal work (while the active flows keep showing up all table full, 64k).
 
Robert, there is an way to increse the cache with the command:
 
ip flow-cache entries
See:
 http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6cc.html#wp1000960
 
But this is highly not recomended:
 
 
Regards
Carlos Eduardo Vianna
SouthTech Datacenter NOC
AS 25933
 
 
----- Original Message -----

From:  Robert S.  Galloway <mailto:[EMAIL PROTECTED]>  
 
To: 'Adam Powers' <mailto:[EMAIL PROTECTED]>  ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; [EMAIL PROTECTED]
 
Sent: Friday, May 20, 2005 1:11 PM
 
Subject: RE: [Flow-tools] Strange Router  Export Issue
 

 
 

There are definitely  very few inactive flows, 17 compared to 65519 active. I’m already running the  active timeout at 1 minute. Is there any way to increase the available  cache?
 
 
 

Robert  

 
 

"You have enemies? Good. That means  you've stood up for something,
some time in your life." -- Winston  Churchill
 
 
 
 
 
 
 




From: Adam  Powers [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 6:25  PM
To: Robert S. Galloway; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Flow-tools] Strange Router  Export Issue
 
 
Check the cache size/health on  the 7206. A DoS with small packets sent at high rates from random sources to  random destinations will cause the cache on the 7206 to thrash resulting in a  large number of new flows without a obvious shift in traffic  characteristics.

Do a “sh ip cache flow” and see how many inactive  flows you have. If you have none or very few, the cache is probably full. This  will force the 7206 to unnaturally expire flows before the inactive/active  timeouts. Generally not a good thing. You can try lowering the active timeout  a bit. I usually recommend 5 minutes by default.

You can also try  checking other things like the invalidation rate for cache ager  polls.



On 5/19/05 12:45 PM, "Robert S. Galloway"  <[EMAIL PROTECTED]> wrote:
Howdy everyone,
 
I’ve  got a strange issue that is just perplexing me. Basically here’s my  setup:
 
I’ve got two 7513’s and one 7206. Each has one internet  DS-3. The 7513’s also support other customer connections, but the 7206 is just  the DS-3.
 
Starting a couple of days ago, the 7206 started  sending HUGE numbers (10x normal) of flows to my flow-collector. I’ve dug into  the raw flow files and I just don’t see anything strange. All three routers  carry about the same traffic load according to bandwidth, but the flows are  out of the ball park for the 7206. It’s almost like the router is counting  traffic multiple times, but the config didn’t change when this  started.
 
Anyone have any ideas on where I should  look?
 
Thanks,
 

Robert S.  Galloway
Chief Network Security Engineer
IKANO Communications
Network  Operations Department
...the team behind the  machines
securityguy_AT_ikano.com
801-415-8089



"You have enemies? Good.  That means you've stood up for something,
some time in your life." --  Winston Churchill
 
 
 




_______________________________________________
Flow-tools  mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools



--  

Adam  Powers
Director of Technology
Lancope, Inc.
c.  678.725.1028
f. 770.225.6501
e. [EMAIL PROTECTED]

StealthWatch  by Lancope - Security Through Network Intelligence™





--

Adam  Powers
Director of Technology
Lancope, Inc.
c. 678.725.1028
f. 770.225.6501
e. [EMAIL PROTECTED]

StealthWatch by Lancope - Security Through Network Intelligence™

 
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to