Hi Chris, On Mon, Oct 12, 2009 at 09:31:39AM +0200, Chris Hellkvist wrote:
> Thanks, i played around a bit with the mls flow-options on the cisco > box and figured out that the problem in my case is the lack of free > space in the netflow table on the cisco device. Using "mls flow ip > interface-destination-source": > Netflow table utilization of module 5 is 99% > > With "mls flow ip interface-source": > Netflow table utilization of module 5 is 32% > > [ ... ] Something you might try is to enable sampling - given that you seem not to be running some older IOS (where sampling rate is not properly exported to the collector). So, on your 6500/7600: mls sampling packet-based <xxx> ! interface <xxx> mls netflow sampling ! Look specifically at the packet-based flow-sampling variant as the other, time-based, is not working very well (IHMO). On the nfacctd side of the things, you can do calculations on your own or you can configure the daemon to renormalize data for you: nfacctd_renormalize: true > splitting up the interfaces into some that generate netflow data via > the cisco box and some that have netflow data generated using fibre > taps and some BSD boxes using pmacct (maybe with PF_RING?) generating > netflow data sending this data to the central nfacctd-box. Opinions on > that? It's certainly an option; although on the specific example you mention, i'm not sure PF_RING works outside a Linux environment. You would have some "information loss", ie. input/output interfaces, due to the fact NetFlow is not done on the device where traffic is passing through but off-line. Also its applicability depends on the size of the environment we are speaking about: I see it not very popular in large-scale scenarios because it puts added burden onto you: you should not mind only to the, say, scalability of the collector but also scalability of the probe, architecture of the capturing framework as you touch your network, etc. > Nope, it's there by itself on newer IOS releases, at some time the > "global" netflow config was deactivated. Now you need to configured > netflow for every interface apart... Thanks! Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
