cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
0
Helpful
0
Replies

Netflow behaviour for terminating flows

sebastian.lemke
Level 1
Level 1

Hi experts,

I am currently using Flexible Netflow to do quick analyses concerning top talkers on WAN routers.

My config looks like this:

flow record FLOW
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect counter bytes
 collect application name

flow monitor MON
 record FLOW
 cache timeout inactive 3600
 cache timeout active 3600

interface Tunnel1
 ip flow monitor MON input
 ip flow monitor MON output

I am using the following command to display the top 50 talkers:

show flow monitor MON cache aggregate ipv4 source address ipv4 destination address ipv4 protocol transport source-port transport destination-port collect application name counter bytes sort counter bytes top 50

This output gives me the data which is currently in my local cache = the flows which are not yet exported.

I understand that

- active flows are "cut" into separate flows after the configured timer of 3600 seconds

- inactive flows are timed out after 3600 seconds as well

In both cases the flows remain in my local cache for at least 3600 seconds.

 

My question: What happens with flows which are terminated regularly, e.g. by capturing a TCP FIN flag. Are these flows immediately cleared from my cache? Can I somehow influence the behaviour to force the router to keep terminated flows in the cache for some time?

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: