Hi Adam,
Let me share some thoughts to kick-start the discussion (ie.
inviting people running Juniper to speak up and correct where
needed).
I don't have an explanation why at lowest times renormailzed
NetFlow over-counts SNMP unless sampling rate is somehow not
reported correctly (i have seen this although on C7600: some
line-cards able to report it correctly, others not). If you
are not using sampling_map yet, you could try inserting known
sampling rate values.
For what regards peak hour and NetFlow under-counting compared
to SNMP and the smooth trending of passing from over-counting
to under-counting, i might have a possible explanation: you
are using NetFlow v5 which is centralized, throttled process.
So if 1:2000 reveals too much work for the CPU you are subject
to NetFlow samples not being exported to the collector. This
is solved by using NetFlow v9 and a MS-DPC or in-line IPFIX,
at least on MX series.
Cheers,
Paolo
On Thu, Feb 06, 2014 at 10:45:39AM +0100, Adam Bogdan wrote:
> Hi,
>
> I have a question - maybe somebody had a similar issue - I'm receiving
> netflow from router (Juniper) - they are sampled 1:2000
> After the traffic is recalculated by nfacctd - in comparision to statistics
> received via snmp - I have strange values - in the lowest traffic level
> snmp shows around 550Mbps - in the same time traffic calculated by nfacctd
> is ~1.3Gbps - in max point - snmp is showing 6Gbps but nfacctd 3.9 Gbps
> I understand that traffic is sampled so it won't be exactly at the same
> level as counted by snmp - but isn't it too big difference ?
> Instead of this - the characteristics of the traffic is correct - traffic
> is growing in the same direction, traffic drops are present in the same
> time etc. - only this traffic level..
>
> This is conifguration from router - it's quite simple:
> sampling {
> input {
> rate 2000;
> max-packets-per-second 7000;
> }
> family inet {
> output {
> flow-server x.x.x.x {
> port x;
> autonomous-system-type origin;
> no-local-dump;
> source-address x.x.x.x;
> version 5;
> }
> }
> }
> }
>
> in nfacctd config file - I recalculate netflows like this:
> sql_optimize_clauses: true
> sql_dont_try_update: true
> sql_multi_values: 1024000
> sql_db: pmacct
> sql_host: <host>
> sql_passwd: <pass>
> sql_table_version: 7
> sql_table_type: bgp
> sql_cache_entries: 256000
> sql_preprocess: usrf=2000
>
> >From this what I checked - the problem - for sure - is not in nfacctd,
> netflow data received and recalculated by nfdump was almost the same -
> maybe there is something different what I should change/modify to get
> the traffic level little more accurate.
>
> Thanks for response
>
> Regards
> Adam
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
