Difference in SNMP & NetFlow Interface Utilization Report

AdnanShahid · ‎12-31-2012

Hi All,

We are using SNMP (MRTG & 3rd Party Software - CA eHealth) & NetFlow (3rd Party Software - CA NetQoS) to monitor our router interface utilization and traffic. However the Trend report of SNMP and NetFlow are showing difference in utilization.

Anyone have any idea why this is happening? or Is it the expected scenerio?

Thanks in advance.

Regards,

Adnan

jakewilson · ‎01-01-2013

Hello Adnan,

We have gotten this questions a few times. Here is a FAQ for you to consider:

Why are my graphs reporting over 100% utilization?

The interface speed is not correct. Many NetFlow collectors use the speed specified in the SNMP OID. Login to the router or switch and fix the problem or in the NetFlow Reporting tool. In Scrutinizer: go to Device Details and manually type in the correct speed. NetQoS should allow you to do something similar.
The active timeout has not been set to 1 minute on the router. Login to the router or switch and fix the problem.
Non-dedicated burstable bandwidth, where the ISP allows you to use over the allocated bandwidth.
Both ingress and egress NetFlow collection have been enabled on the interface. This can work properly if the direction bit is set in the egress flows. Most NetFlow reports work ideal when only ingress NetFlow collection is configured on all interfaces. Only egress on all interfaces is also possible.
Do you have any encrypted tunnels on the interface? This can cause traffic to be counted twice on an interface. In Scrutinizer go to Admin Tab > Definitions > Manage Exporters. Click on the round icon with the '-'. When you mouse over the icon, the ALT will display "View the current protocol exclusions of this device." Click on this and make sure the protocols below are being excluded. CA (NetQoS) should allow you to do something similar in their tool.
- 47 - GRE, General Routing Encapsulation.
- 50 - ESP, Encapsulating Security Payload.
- 94 - IP-within-IP Encapsulation Protocol.
- 97 - EtherIP.
- 98 - Encapsulation Header.
- 99 - Any private encryption scheme.
Full Flow Cache: All flows are stored in the flow cache on the router before export. Once the cache is full, it stops adding entries into the cache until it expires them. When events such as a DDOS or a "social event" occur, the router's cache becomes full. The cache can be increased; however, it will use more memory and could have a negative impact on the router. A loss of flows will cause the NetFlow reporting solution to understate utilization.

Please vote if this post helps resolve your problem.

Sincerely,

Jake Wilson

NetFlow Knight

AdnanShahid · ‎01-05-2013

Hi Jake,

Thank you very much for your informative reply. Please find my answers according to your suggested points.

1) Ok in our case.

2) Ok in our case.

3) Ok, I guess. The router we are monitoring is sitting on between Internet and Firewall. The NetQoS server is in inside zone and the router on outside zone. The interface we are monitoring of that router is connected to our another network. So the link is NetQoS Server>FW>Router.

4) OK, I guess. We are tring only with ingress. Egress is removed.

5) Ok, I guess. There is no encrypted tunnel associated with that router interface.

6) This thing we might need to check. Is there any way we can check this? In case, the cache is full, How can we increase the cache? We are using Cisco 7606 so I believe there should'nt be any issue to allowcate more memory to cache.

In addition to this I am sharing you the picture of Interface Unization difference of MRTG and CA NetQoS NetFlow so that you can have a clear view. Please see below,

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Appreciate if you can share your further opinion.

Thanks in advance.

Adnan.