SNMP and netflow difference

oizetbegovic · ‎11-30-2012

Hi everyone,

I've got an issue with SNMP and netflow tools. They are displaying different data for the same (sub)interfaces. I'll explain in detail...

I've got metroethernet link which connects root A (Cisco 7606, 12.2(18)SXF8) and root B (Cisco 2811, 12.3(11)TS). MPLS is configured on the link (behind root B there is no more MPLS). I'm attaching root configurations (I've ommited parts of config).

Interfaces are:

Root A - gi2/6.2144

Root B - fa0/1

I've configured SNMP and netflow on both devices. I'm using two SNMP tools (CA Spectrum and eHealth) and two netflow tools (CA NetQoS ReporterAnalyzer and Fluke Networks NetFlow Tracker) to collect the data.

SNMP tools show the same info for defined (sub)interface.

Netflow tools also show the same info for defined (sub)interface.

I'm attaching reports from one SNMP tool and one netflow tool for the same time period.

1. Looking at SNMP tool, it can be seen quite amount of that data in both in and out direction.

2. Looking at netflow tool, it can be seen quite amount of that data in out direction, while in direction shows small amount of data.

I'm aware that Cisco has difficulties with SNMP counters on subinterfaces. I'm also aware that MPLS netflow has its own difficulties.

Root B netflow configuration is quite simple as it has just 2 interfaces to configure netflow on (Fa0/0 and Fa0/1). So I would guess SNMP and netflow data should match, but they don't. When you look at SNMP tool reports for roots A and B, it can be seen that traffic volume is practically mirrored.

Do you have any similar situation or some advice that could help me figure this out?

Thanks in advance!

jakewilson · ‎11-30-2012

Hello,

Here are some things to consider:

Is there any non IP traffic > NetFlow won't report on it
Is there any multicast IP traffic> NetFlow won't report on it
Are these parameters set
- cache timeout inactive 5
- cache timeout active 60
A busy router sometimes can’t keep up with flow exports.
- Command to type: Router_name>sh ip flow export
  At the bottom of the export, look for something like "294503 export packets were dropped due to IPC rate limiting". If this counter is incrementing, the hardware cannot keep up with the export demands.
What do the NetFlow Missed Flow Sequence Numbers look like?
If looking at outbound utilization, please ensure that NetFlow is enabled on ALL interfaces as Outbound is determined using inbound flows.

If any of the above help, please vote on my post.

Thank you and good luck.

oizetbegovic · ‎12-03-2012

Hi Jake,

I know netflow won't report on non IP traffic. There is MPLS configured on these interfaces.

There are few packets dropped when looking at 'sh ip flow export' output.

Active and inactive parameters are set.

There is minimal amount of missed flows at my netflow receiver for each of devices.

Netflow is enabled on all physical interfaces on both devices. And netflow is showing very small amount of traffic in inbound direction and almost SNMP similar amount of traffic in outbound direction.

mikek · ‎12-12-2012

One way to skin this cat might be to NOT enable netflow metering on the MPLS side interface in the 2811 and try INGRESS/EGRESS on the other side. You should be able to see all of the traffic on all interfaces.. You arejust moving your observation point away from that MPLS stuff. The 7606 might be a bit more difficult due to there being more interfaces to deal with.

Make sure you use v9 so that flow direction is exported. That should help your reporing solution de-duplicate data.

Let us know if this workaround helps!