Incorrect traffic information in Netflow analyzer
NetFlow Analyzer shows the information based on the flow Packets
(NetFlow, sflow, Jflow, netstream etc..) exported by the device to the
NetFlow Analyzer installed server.
We have seen many customers
come with the issue that the Utilization information based on the
interface is showing wrong in NetFlow Analyzer. It can be due to the
below-mentioned reasons:
1. Active Timeout:
NetFlow
Analyzer shows the traffic information with 1 min granularity for
real-time traffic details from the interface. If the device does not
send traffic information every 1 min, you will get wrong utilization
reports for the interface in NetFlow Analyzer.
To make sure that
the device sends traffic information every 1 min, it is important to set
the active timeout to 1 min or 60 sec (by default it is 5 mins or 1800
sec) in the device configuration.
2. Link Speed not set correctly:
NetFlow
Analyzer auto-discover the device and its interfaces based on the flow
packets exported by the device. Here we discover the device in NetFlow
Analyzer with the source interface IP address configured in the device
and interfaces as Ifindex with default speed set as 1 Mbps.
NetFlow
Analyzer calculates the utilization based on the link speed. For
example, if the link has the capability to handle 1 Mbps and the actual
traffic passing through an interface is about 512 Kbps, the utilization
graph in NetFlow Analyzer displays the traffic percentage as 50 %. Here
is the formula which explains the utilization calculation on NetFlow
Analyzer.
Utilization = Actual Speed/Link Speed * 100
So
if the link speed or the interface speed is not configured properly, you
will get wrong utilization information. We use read-only SNMP community
configured in the device to update the Device Name, Interface name and
interface speed (Please click on the link
for the steps) or you can Manually update the interface Speed to get
the Correct traffic information. ( Inventory -> Flow Analysis ->
Interfaces -> Drill down -> Interface Details ).
3. Configuration Command issue:
There
are multiple commands to enable NetFlow Export from the interface like
"IP flow ingress" and "IP flow egress" and "IP flow monitor":
If
your requirement is to monitor only single interface of the device,
please enable both "IP flow ingress" and "IP flow egress" command in
that particular interface alone.
If you are going to monitor
multiple interfaces for the interface enable the command "ip flow
ingress" alone in all the interfaces of the device.
4. Non-dedicated burstable bandwidth:
Certain
ISPs allows you to use the allocated bandwidth depending on the other
customers sharing that link. So, even though the max bandwidth is 2Mbps,
the ISP may allow you to use even more based on availability. This also
affects the accurate reporting on NetFlow Analyzer causing incorrect
bandwidth utilization values and even more than 100%.
5. ESP and GRE traffic:
This
is another reason for traffic to get double counted in NetFlow
Analyzer. With NetFlow data, the tunnel traffic will be accounted as the
normal traffic before encryption and again as the encrypted traffic.
NetFlow Analyzer has an option to filter this kind of encrypted tunnel
traffic from the reports. This option is available under Settings –>
NetFlow -> Flow Filter Settings -> ESP or GRE Filter.
6. Interface Bandwidth of IN interface and OUT interface:
Any
analyzer tools calculate the OUT traffic of an interface based on the
IN traffic of the interface that sends traffic to it. When traffic is
passing from higher speed interface to lower speed interface, the
calculation of OUT traffic from a higher speed IN traffic causes
incorrect traffic utilization to be shown on the OUT traffic.
The
above reason for more than 100 % utilization on OUT traffic can be
resolved by enabling only “ip flow egress” on all the interfaces.
New to ADSelfService Plus?