04-25-2018 12:50 AM - edited 03-01-2019 06:33 PM
Hey guys,
I was searching for best practics regarding ip cache timeouts, but I didn't find something.
Independently which system (ASA, Switch or Router), what did you configure for ip flow cache active timeoutes and ip flow cache inactive timeoutes? Or do you know something like a best practice?
The reason why I would like to have this info is, I have some peaks in my monitoring system (PRTG) which could be caused by those timeout configuration.
cheers Tim
Solved! Go to Solution.
04-25-2018 05:46 AM
It really depends on the data you want to collect, but there is a limitation in PRTG for the active timeout. 60 minutes (unless you want to use 0 to collect everything) is the max you can configure in PRTG and it tells you to set this higher than the active timeout on the device being monitored.
In our setup with PRTG we use the default active timeout of 30 min and in PRTG we set the timeout to 31 min and it seems to work fine for us.
The inactive timeout is a little more important if you want to look at the stats directly on the switch. We use the inactive timeout of 5 min and when we log into a switch we know we are getting at least the last 5 min of data when we look at the flow cache directly.
I would say that if you are only using PRTG to check the netflow stats you can probably just keep the default value since it should capture all active flows and there wouldn't be much need for inactive flows after the fact.
04-25-2018 05:46 AM
It really depends on the data you want to collect, but there is a limitation in PRTG for the active timeout. 60 minutes (unless you want to use 0 to collect everything) is the max you can configure in PRTG and it tells you to set this higher than the active timeout on the device being monitored.
In our setup with PRTG we use the default active timeout of 30 min and in PRTG we set the timeout to 31 min and it seems to work fine for us.
The inactive timeout is a little more important if you want to look at the stats directly on the switch. We use the inactive timeout of 5 min and when we log into a switch we know we are getting at least the last 5 min of data when we look at the flow cache directly.
I would say that if you are only using PRTG to check the netflow stats you can probably just keep the default value since it should capture all active flows and there wouldn't be much need for inactive flows after the fact.
04-25-2018 07:29 AM - edited 04-25-2018 08:07 AM
Hello!
I recommend you to read this post https://communities.cisco.com/thread/34957?start=0&tstart=0
and this other https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf
Do not forget to rate/mark useful answers.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide