[Cflowd] Aggregated flows
Edwin D. Viņas
edwinv@asti.dost.gov.ph
Thu, 11 Apr 2002 11:31:24 +0800
This is a multi-part message in MIME format.
------=_NextPart_000_00AC_01C1E14C.6921EE40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
dst IP only Multicast
Hi guys!
Im currently working with netflow and i was able to graph and database =
the flows. But, one concern we're facing
is the bandwidth consumption of the netflow exporting. We are planning =
to aggregate flows in the router to
reduce the data. This we think will reduce the bandwidth consumption of =
flow-exporting.
Can somebody advise me on which is better, non-aggregated netflow or =
netflow with aggregation? Is it difficult to=20
analyze the aggregated flows? How granular is it?
Thanks,=20
Edwin
----- Original Message -----=20
From: Pranav Shah=20
To: 'cflowd@caida.org'=20
Sent: Saturday, March 23, 2002 5:54 AM
Subject: RE: [Cflowd] dst IP only Multicast
Hey Marcus..
=20
I have removed the flow-export aggregation however, I still see the =
same thing. One thing I did notice was that in my flow directory, there =
are two flow files being generated and being updated. One is =
x.x.x.x.flows.[0-9] (x.x.x.x is the router sending the flows) and the =
second is the normal flows.* files. =20
=20
Using flowdumper to see the contents of x.x.x.x.flows.* gives me the =
src and the dst IPs correctly. however, doing flowdumper on flows.* =
directory gives me all multicast addresses in my destination IP. I have =
read through all the Cisco doc. on Netflow but it seems all if properly =
configured. I cannot figure it out.
=20
Pranav
=20
-----Original Message-----
From: Marcus Beaman [mailto:marcus.beaman@state.or.us]
Sent: Thursday, March 21, 2002 3:45 PM
To: Pranav Shah
Subject: RE: [Cflowd] dst IP only Multicast
I'm not sure that you need the "ip flow-aggregation cache as" line, =
as that looks like it aggregates only the followin information:
The aggregated NetFlow data export records report the following:
a.. Source and destination BGP autonomous system=20
b.. Number of packets=20
c.. Number of flows summarized by the aggregated record=20
d.. Number of bytes summarized by the aggregated record=20
e.. Output and input interfaces=20
f.. Timestamp when the first packet is switched and timestamp when =
the last packet is switched
You might try removing the line (my configs are like that), which =
will increase your flow file sizes but gives you all flow information. =
In addition, since netflows only tally data on an interfaces input =
traffic, you need the "ip route-cache flow" statement on all interested =
interfaces. Since I want to see inbound/outbound traffic to the =
Internet, I put "ip route-cache flow" on my ISP interface (inbound stats =
from the Internet =3D inbound traffic) and on my network interface =
(inbound from my network to internet =3D outbound traffic). If you =
still want to aggregate (does is work with version 5? I know it does =
with 8), you might tray the "ip flow-aggregation cache protocol-port" =
since this includes src/dst IP's =
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft=
/120t/120t3/netflow.htm#80372)
=20
Make sure you have the requirements also for aggregating also:
You must take these prerequisties into consideration before =
configuring the NetFlow Aggregation feature:
a.. Ensure that the following functionality is configured on your =
system before you configure an aggregation cache:=20
a.. IP routing=20
For information on IP routing configuration, refer to the Cisco =
IOS Release 12.0 Network Protocols Configurtion Guide, Part 1.
a.. Cisco Express Forwarding (CEF)=20
For information on CEF configuration, refer to the Cisco IOS =
Release 12.0 Switching Services Configuration Guide.
a.. NetFlow switching=20
For information on NetFlow configuration, refer to the Cisco IOS =
Release 12.0 Switching Services Configuration Guide and the=20
b.. If you intend to use a version 8 aggregation cache, configure =
a version 5 main cache.=20
c.. If you need autonomous system information from the =
aggregation, make sure to specify the <peer-as | origin-as> options in =
your export command if you have not configured an export version.=20
Good Luck,
=20
-Marcus
------=_NextPart_000_00AC_01C1E14C.6921EE40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>dst IP only Multicast</TITLE>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Hi guys!</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Im currently working with netflow and i =
was able to=20
graph and database the flows. But, one concern we're facing</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>is the bandwidth consumption of the =
netflow=20
exporting. We are planning to aggregate flows in the router =
to</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>reduce the data. This we think will =
reduce the=20
bandwidth consumption of flow-exporting.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Can somebody advise me on which is =
better,=20
non-aggregated netflow or netflow with aggregation? Is it difficult to=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>analyze the aggregated flows? How =
granular is=20
it?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks, </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Edwin</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A href=3D"mailto:pranav@exchange.napster.com"=20
title=3Dpranav@exchange.napster.com>Pranav Shah</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
href=3D"mailto:'cflowd@caida.org'"=20
title=3Dcflowd@caida.org>'cflowd@caida.org'</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, March 23, 2002 =
5:54=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Cflowd] dst IP =
only=20
Multicast</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial size=3D2>Hey=20
Marcus..</FONT></SPAN></DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial size=3D2>I=20
have removed the flow-export aggregation however, I still see the same =
thing. One thing I did notice was that in my flow directory, =
there are=20
two flow files being generated and being updated. One is=20
x.x.x.x.flows.[0-9] (x.x.x.x is the router sending the =
flows) and=20
the second is the normal flows.* files. </FONT></SPAN></DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial=20
size=3D2>Using flowdumper to see the contents of x.x.x.x.flows.* gives =
me the=20
src and the dst IPs correctly. however, doing flowdumper on =
flows.*=20
directory gives me all multicast addresses in my destination IP. =
I have=20
read through all the Cisco doc. on Netflow but it seems all if =
properly=20
configured. I cannot figure it out.</FONT></SPAN></DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D471404921-22032002><FONT color=3D#0000ff =
face=3DArial=20
size=3D2>Pranav</FONT></SPAN></DIV>
<DIV><SPAN class=3D471404921-22032002></SPAN> </DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Marcus Beaman=20
[mailto:marcus.beaman@state.or.us]<BR><B>Sent:</B> Thursday, March =
21, 2002=20
3:45 PM<BR><B>To:</B> Pranav Shah<BR><B>Subject:</B> RE: [Cflowd] =
dst IP=20
only Multicast<BR><BR></FONT></DIV>
<DIV><SPAN class=3D764533423-21032002><FONT color=3D#0000ff><FONT =
size=3D2>I'm not=20
sure that you need the "<FONT color=3D#000000>ip flow-aggregation =
cache as"=20
line, as that looks like it aggregates only the followin=20
information:</FONT></FONT></FONT></SPAN></DIV><SPAN=20
class=3D764533423-21032002>
<P><FONT size=3D2>The aggregated NetFlow data export records report =
the=20
following:</FONT></P>
<UL>
<P><FONT size=3D2></FONT>
<LI><FONT size=3D2>Source and destination BGP autonomous system =
</FONT>
<P></P>
<P><FONT size=3D2></FONT></P>
<LI><FONT size=3D2>Number of packets </FONT>
<P></P>
<P><FONT size=3D2></FONT></P>
<LI><FONT size=3D2>Number of flows summarized by the aggregated =
record=20
</FONT>
<P></P>
<P><FONT size=3D2></FONT></P>
<LI><FONT size=3D2>Number of bytes summarized by the aggregated =
record=20
</FONT>
<P></P>
<P><FONT size=3D2></FONT></P>
<LI><FONT size=3D2>Output and input interfaces </FONT>
<P></P>
<P><FONT size=3D2></FONT></P>
<LI><FONT size=3D2>Timestamp when the first packet is switched and =
timestamp=20
when the last packet is switched</FONT></LI></UL>
<DIV><SPAN class=3D764533423-21032002><FONT size=3D2>You might try =
removing the=20
line (my configs are like that), which will increase your flow file =
sizes=20
but gives you all flow information. In addition, since =
netflows only=20
tally data on an interfaces input traffic, you need the "<SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><FONT=20
face=3D"Times New Roman">ip route-cache flow" statement on all =
interested=20
interfaces. Since I want to see inbound/outbound traffic to =
the=20
Internet, I put "<SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA">ip=20
route-cache flow" on my ISP interface (inbound stats from =
the=20
Internet =3D inbound traffic) and on my network interface =
(inbound from=20
my network to internet =3D outbound traffic). If you still =
want to=20
aggregate (does is work with version 5? I know it does with =
8), you=20
might tray the "ip flow-aggregation cache protocol-port" since this =
includes=20
src/dst IP's (<A=20
=
href=3D"http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/1=
20newft/120t/120t3/netflow.htm#80372">http://www.cisco.com/univercd/cc/td=
/doc/product/software/ios120/120newft/120t/120t3/netflow.htm#80372</A>)</=
SPAN></FONT></SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=3D764533423-21032002><SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><FONT=20
size=3D2></FONT></SPAN></SPAN></SPAN> </DIV>
<DIV><SPAN class=3D764533423-21032002><SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><FONT=20
face=3D"Times New Roman">Make sure you have the requirements also =
for=20
aggregating also:</FONT></SPAN></SPAN></SPAN></DIV><SPAN=20
class=3D764533423-21032002><SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN=20
style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: AR-SA">
<P><FONT face=3D"Times New Roman">You must take these prerequisties =
into=20
consideration before configuring the NetFlow Aggregation =
feature:</FONT></P>
<UL>
<P><FONT face=3D"Times New Roman"></FONT>
<LI><FONT face=3D"Times New Roman">Ensure that the following =
functionality=20
is configured on your system before you configure an aggregation =
cache:=20
</FONT>
<P></P>
<UL>
<P><FONT face=3D"Times New Roman"></FONT>
<LI><FONT face=3D"Times New Roman">IP routing </FONT>
<P></P></LI></UL>
<DL>
<DT><FONT face=3D"Times New Roman"></FONT>
<DD><FONT face=3D"Times New Roman">For information on IP routing =
configuration, refer to the Cisco IOS Release 12.0 <I>Network =
Protocols=20
Configurtion Guide, Part 1</I>.<BR></FONT></DD></DL>
<UL>
<P><FONT face=3D"Times New Roman"></FONT>
<LI><FONT face=3D"Times New Roman">Cisco Express Forwarding =
(CEF) </FONT>
<P></P></LI></UL>
<DL>
<DT><FONT face=3D"Times New Roman"></FONT>
<DD><FONT face=3D"Times New Roman">For information on CEF =
configuration,=20
refer to the Cisco IOS Release 12.0 <EM>Switching Services =
Configuration=20
Guide</EM>.<BR></FONT></DD></DL>
<UL>
<P><FONT face=3D"Times New Roman"></FONT>
<LI><FONT face=3D"Times New Roman">NetFlow switching </FONT>
<P></P></LI></UL>
<DL>
<DT><FONT face=3D"Times New Roman"></FONT>
<DD><FONT face=3D"Times New Roman">For information on NetFlow=20
configuration, refer to the Cisco IOS Release 12.0 <EM>Switching =
Services Configuration Guide</EM> and the <BR></FONT></DD></DL>
<P><FONT face=3D"Times New Roman"></FONT></P>
<LI><FONT face=3D"Times New Roman">If you intend to use a version =
8=20
aggregation cache, configure a version 5 main cache. </FONT>
<P></P>
<P><FONT face=3D"Times New Roman"></FONT></P>
<LI><FONT face=3D"Times New Roman">If you need autonomous system =
information=20
from the aggregation, make sure to specify the <peer-as | =
origin-as>=20
options in your <STRONG>export</STRONG> command if you have not =
configured=20
an export version. </FONT></LI></UL>
<DIV><SPAN class=3D764533423-21032002><FONT face=3D"Times New =
Roman">Good=20
Luck,</FONT></SPAN></DIV>
<DIV><SPAN class=3D764533423-21032002><FONT color=3D#0000ff=20
face=3D"Times New Roman"></FONT></SPAN> </DIV>
<DIV><SPAN class=3D764533423-21032002><FONT color=3D#0000ff=20
face=3D"Times New =
Roman">-Marcus</FONT></SPAN></DIV></BLOCKQUOTE></BLOCKQUOTE></SPAN></SPAN=
></SPAN></SPAN></BODY></HTML>
------=_NextPart_000_00AC_01C1E14C.6921EE40--