I won't write a lot words to explain what is the netflow and SNMP, if you want to know what is SNMP and netflow, you could google it, normally, the first link would fit your need.
Today, I encountered a problem that my Cacti weathermap and my NFSEN netflow traffic map showed differently.
In my Cacti, the traffic was around 1.4m, but in my NFSEN, there was around 270konly!
I stuck in there for a while, then I googled with 'netflow' then I figured out what was going on there.
In fact, netflow only records traffic in single direction which goes in or not the specific interface on a netflow exporter, normally the exporter is a router. And what is so called netflow, it will record traffic based on flow, just like a TCP session, it does not read router's interface stats, rather than that it will export all the 'flow' stats to a server, then the server would process those stats then display to you. So you could find a para when you perform config a router, called 'time-out', it Cisco router it looks like:
ip flow-cache timeout active 5
This value will tell the exporter the flow traffic should always export to analyzer every 5 min, even the flow is not well closed. Because of that, the netflow flow chart from NFSEN could not be used as real time traffic analysis. Even for a short period of network analysis, it won't make sense, due to its flow nature, we could only use it analysis some historical data, which is also very useful, because netflow records packets headers, so we could know which protocol, ip, are consuming our bandwidth, and if necessary we could block/limit access for that IP or protocol. This is very useful for network or security admin. But we have to be aware that, netflow would work only with single direction, which you could either anaylsis inbound data or outbound. For a non-load balance environment, it is OK, but in a load balance or MPLS environment, it becomes a little bit complicated. In a non-load balance environment, we could just easily to enable netflow on both sides then we could get every traffic on the patch. But for a MPLS or load-balance environment, yes, you could do the same thing, but you need to aware that, the inbound and outbound traffic are not thru the same path, that's to say, you have to fully analysis all traffic on all paths that used to balance the traffic. That was what I have encountered this afternoon.
From the screenshot, you could figure out, the NFSEN is similar to Cacti output but there are still different.
Based on the lesson I learned, I figured out that, why we still need SNMP analysis engine like Cacti even we already had netflow feature, Cacti is used to show to pure traffic stats, it will help network admin to understand the bandwidth usage; and netflow will help network admin to figure who is the bad guy to poison your network.
Today, I encountered a problem that my Cacti weathermap and my NFSEN netflow traffic map showed differently.
 |
| Cacti output |
 |
| NFSEN output |
In my Cacti, the traffic was around 1.4m, but in my NFSEN, there was around 270konly!
I stuck in there for a while, then I googled with 'netflow' then I figured out what was going on there.
In fact, netflow only records traffic in single direction which goes in or not the specific interface on a netflow exporter, normally the exporter is a router. And what is so called netflow, it will record traffic based on flow, just like a TCP session, it does not read router's interface stats, rather than that it will export all the 'flow' stats to a server, then the server would process those stats then display to you. So you could find a para when you perform config a router, called 'time-out', it Cisco router it looks like:
ip flow-cache timeout active 5
This value will tell the exporter the flow traffic should always export to analyzer every 5 min, even the flow is not well closed. Because of that, the netflow flow chart from NFSEN could not be used as real time traffic analysis. Even for a short period of network analysis, it won't make sense, due to its flow nature, we could only use it analysis some historical data, which is also very useful, because netflow records packets headers, so we could know which protocol, ip, are consuming our bandwidth, and if necessary we could block/limit access for that IP or protocol. This is very useful for network or security admin. But we have to be aware that, netflow would work only with single direction, which you could either anaylsis inbound data or outbound. For a non-load balance environment, it is OK, but in a load balance or MPLS environment, it becomes a little bit complicated. In a non-load balance environment, we could just easily to enable netflow on both sides then we could get every traffic on the patch. But for a MPLS or load-balance environment, yes, you could do the same thing, but you need to aware that, the inbound and outbound traffic are not thru the same path, that's to say, you have to fully analysis all traffic on all paths that used to balance the traffic. That was what I have encountered this afternoon.
From the screenshot, you could figure out, the NFSEN is similar to Cacti output but there are still different.
Based on the lesson I learned, I figured out that, why we still need SNMP analysis engine like Cacti even we already had netflow feature, Cacti is used to show to pure traffic stats, it will help network admin to understand the bandwidth usage; and netflow will help network admin to figure who is the bad guy to poison your network.
No comments:
Post a Comment