North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
cflowd and netflow settings
- From: Dana Hudes
- Date: Sat Apr 01 20:40:16 2000
this is actual operational question so excuse the interruption in the fiber cut du jour thread.
I have a cisco 7500 series router with v11.1(CC) code. I have cflowd running on a Dell PIII
system with an IDE hard drive (thankfully fairly large) under RedHat Linux 6.1 . cflowd and friends
are compiled with -mcpu=i686 .
I have configured a generous cache size of 65535 on the router but it only uses 1024 entries anyway.
show ip cache flow says that:
IP Flow Switching Cache, 69632 bytes
1002 active, 22 inactive, 3045004972 added
2253347804 ager polls, 0 flow alloc failures
Exporting flows to x.x.x.x (2055)
Exporting using source interface Loopback0
Version 6 flow records, origin-as
Active flows timeout in 60 minutes
3045003952 flows exported in 112978700 udp datagrams, 0 failed
last clearing of statistics 5d05h
The collector machine is getting hammered on the data collection.
>From the log:
Apr 1 20:20:19 plan9 cfdcollect: [I] wrote data for router 172.16.1.2
Apr 1 20:20:19 plan9 cfdcollect: [I] connected to localhost:2056
Apr 1 20:20:19 plan9 cflowd: [I] sent data to 126.96.36.199:1877
Apr 1 20:20:22 plan9 cflowd: [I] missed 195585 of 220926 flows from 172.
16.1.2 engine 0 agg_method 0 (88.5296% loss)
Apr 1 20:20:57 plan9 cfdcollect: [I] localhost has data for 1 router.
Apr 1 20:20:59 plan9 cfdcollect: [I] got data for router 172.16.1.2 from
Apr 1 20:20:59 plan9 cfdcollect: [I] wrote data for router 172.16.1.2
Apr 1 20:20:59 plan9 cfdcollect: [I] connected to localhost:2056
Apr 1 20:20:59 plan9 cflowd: [I] sent data to 188.8.131.52:1878
Apr 1 20:21:02 plan9 cflowd: [I] missed 168234 of 248568 flows from 172.
16.1.2 engine 0 agg_method 0 (67.6813% loss)
At this point, cfdcollect is set to minPollInterval of 15
but I still lose data at peak (sure, at 10am on a weekday its no problem to keep up...)
cflowd is configured for FLOWFILELEN: 2097152 and to keep 70 raw flow files.
I had pretty much the same % loss with 1Mb flow files and only keeping 10 .
I'm thinking that perhaps disk I/O is a problem with cfdcollect and cflowd on 1 machine with 1 disk.
Two physical disks (Ultra Wide Fast SCSI) might help keep up.