Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1167
Views
0
Helpful
2
Replies

NetFlow Export limitations

bberry
Level 1
Level 1

‎07-30-2010 08:04 AM

Are there limitations on the ports that a netflow export actually exports? The reason I am asking is that we have been using a netflow collection system for a while and have been comfortable with it. It has seems to be reporting what we need. Today however I noticed something that I am trying to understand.

I applied an access list to an interface to liit traffic and added a log to make sure I have everything correct. I looking at the log there seemed to be a lot of traffic on port 5190 which seemes to be part of ALO stuff. I was courious about this traffic so pulled up my NetFlow collector and it is reporting that there has never been any traffic on this port that it recorded. I then started looking at the cache flow information and there does not seem to be any record for port 5190 as well. Unless it is happening so fast with single packets that it is rollling out of the cache I am just wondering where it is.

Anyone have any more thoughts on this??

Brent

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎07-30-2010 03:21 PM

Brent

Firstly - I am not aware of any limitations or restrictions in NetFlow about specific ports not being reported.

Secondly - I would suggest looking at the logs that are generated about this port. You should be able to tell from the log message whether there was a single packet or multiple packets that matched the ACL and are represented in the log.

HTH

Rick

HTH

Rick
0 Helpful

Jan Nejman
Level 3
Level 3

‎08-03-2010 08:55 AM

Hello,

  NetFlow is measured on the input. Flow means, the packet reach the box, but it doesn't mean the the measured packet came from the box.

If you are limiting packets in the netflow you will see all packets.

NetFlow in Cisco implemenation has several limitations. In most cases the limitation

is defined by your model. On 7200 etc netflow is made in software on 6500/7600

devices netflow is made in hardware. It depends on your supervisor how many

flows can your hardware store. Usually it is between 128000 and 256000 flows.

If flowcache is full, the information about packet is dropped. It is recommended

to check netflow cache utilization. Please, let me know if you need more

information about it.

Kind regards,

Jan Nejman

Caligare, co.

http://www.caligare.com/

0 Helpful
Customers Also Viewed These Support Documents