cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1337
Views
10
Helpful
7
Replies

Additional Netflow on ASR1002

Kums M
Level 1
Level 1

Hi all,

I need help regarding Netflow implementation - I have an ASR1002 already configured with Netflows, and I need insight on the following.


Let's say if I were to implement 1 Netflow connection, or even 2, to different destinations, would you happen to know what kind of research I should do, to see whether it's feasible?

Should I take a look at the average CPU/memory usage? at the FPS? any other traffic pointers which can help to identify whether one router is able to handle a certain amount of Netflow load/connection? What would be an unsuitable environment or inappropriate conditions to implement Netflow?

Basically, what kind of information about Netflow can I gather from an ASR1002, and how do I process this information and use it to identify whether I can add more Netflows?

7 Replies 7

Mark Malone
VIP Alumni
VIP Alumni

Hi

You should be fine with 2 netflows I have ASR 1000s and X series all running flex netflow with multiple destinations and they don't even register the cpu it uses that little , even our 4331s can handle multiple destinations I wouldn't be too concerned about resources being over utilized with 2 destinations , obviously if you start setting up a large amount you might want to check as each one gets setup but generally most companies would only have 1 o 2 management software tools that receives this kind of information

For my setup 1 goes to a tool called LiveAction that can break down netflows right to the dscp and map the paths of traffic , it discovers and creates visual paths of traffic throughout the network

the 2nd goes to a tool called NetQos which is another management tool which can collect information as well from Cisco and non Cisco devices , think the newer version is called UIM

this pulls everything from stats of the interface to cpu of device , down to the dscp values been seen on interfaces

You really need some software to process it correctly , there is freeware tools available as well if you search online maybe prtg is one you could use as the tools above are very expensive to license

Thanks a lot for the taking the time to respond, Mark!

First, let me add that I'm kind of new to Netflow. I know the concept roughly, but it's only now that i'm being asked to really look into the solution. So I am not familiar with it at all. I've spent some time to read online and could not find much info as to the requirements for my situation.

I think I should have mentioned the following earlier so, apologies if I missed some important details.

We have above 100 websites hosted in the data center, and already have 2 Netflows to 2 different third parties (we are not actually catching and analyzing the data on our side). The previous Netflows were not configured by me. However, this time, I'm being asked to assess the feasibility of an additional one and configure it for the purpose of DDOS detection and protection. I'd like to also mention that the reason I'm not very confident is because i'm not being given a full view of the whole infrastructure and also of the impact it might have if something goes wrong.

1. So, would you know what can go wrong in a simple Netflow configuration, what impact it can actually have, if for any reason, the router is not able to handle it?

2. We are planning on a 1/1000 sampling rate and the current average CPU utilization is roughly 5-10%.

3. Is there anything else I should keep in mind when configuring Netflow?



Thanks again! 

Hi

I haven't gone that far into it really , I do use it everyday and in fairness its great feature and stable the problem we usually have is not on the Cisco side but on the collector side we have over a 1000 network devices globally reporting and we have had issue of the actual collectors struggling to keep up not the devices themselves and sometimes fail on collection even though the devices are sending it correctly , so I would be checking the collector side what they can handle in terms of flows and what's recommended by that vendor in terms of flows if your going to increase it, don't think you will have any issue on Cisco side they will keep pumping out the flows and its just statistics so its not resource heavy on powerful routers like that , we have 800s as well on smaller IPsec sites doing multiple flows no issues with them

Regarding DDOS yes netflow is good for this but im sure your also using firewalls and maybe tipping point or some of ids/ips as well as netflow can only show cant do any protection

The main thing that could go wrong from my experience will be the collector side will crap out and stop collecting flows , once a router is set to send flows I have never seen it break from Cisco side always the collector , too many flows , maxed out cpu on the box , not seeing all flows ,cant flow scale correctly etc 

If it was me in your situation I would get as much background on what your collectors can handle off the vendor start slow add bit by bit always leave to monitor for a day or 2 see what the effects are during peak traffic as that's when the flows will be rampant , make sure not to overload anything

don't worry about cpu unless your sitting at 60% above constantly or your interrupts are over 5-10% constantly , ASRs are every high end powerful routers that can handle a lot

Aswell we don't do sampling we just let netflow run full we need to capture everything as company policy and it doesn't even impact our cpus on the lower end routers at all

see this below couple of good points as well

https://communities.cisco.com/thread/34957?tstart=0

 

Hi

Thanks again for helping out. I've read through your reply and as I mentioned in my message to johnlloyd_13 too, I now understand that CPU usage will not really be an issue and that I should focus more on the netflow configuration itself.

I've also checked with the vendor on the collector. They've assured that there wouldn't be any issue on their side as long as we configure the netflow properly. They also insisted there would not be any overloading on their side.

Now, as I have mentioned in my comment to johnlloyd_13, I tried to configure an additional netflow, while already having two nf v5 configured, and I could see the error message "Exceeded maximum export destinations". I came to the conclusion that there's actually a limit of 2 nf which can be configured.

I'm not sure on how to work around this anymore.

I've checked with the vendor and they've agreed to delete the current nf and replace it with the new one.

Since we have already reached the limit, and we need to delete one and reconfigure another, instead is it possible to just change the destination ip of one netflow without deleting it? Just curious - would there be any downtime in data collection?

Secondly, would the limit apply strictly to an interface? If I configure another nf on another interface, would it work? Say we have backup internet lines and redundant uplinks to core switches.

hi,

thanks for the rating! i've already mentioned v5 is limited to 2 exporter/destination server.

why not configure both netflow v5 and v9 on the ASR? i.e. keep the existing exporter IPs for v5 and configure the new exporter IP for v9?

hi,

could you confirm you already have 2 existing netflow exporter/servers configured on your ASR?

there's already flexible netflow (FNF)/netflow version 9 which is more flexible in terms of what data to collect/export. the 'legacy' or traditional (version 5) netflow supports only 2 netflow exporters AFAIK.

i won't worry too much on CPU usage or netflow overhead on the ASR since they're more 'beefy' routers as compared to ISR G2 routers (i.e. 19xx, 29xx, 39xx).

see helpful link about FNF:

http://wannabelab.blogspot.com/2016/08/configuring-flexible-netflow-fnf-using.html

Hey, 

Thanks for your reply I finally understood that CPU usage wouldn't really be an issue in general, let alone in my case.

Well yes, here are the results:

ASR1002F-01#sh ip flow exp
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.1.1 (GigabitEthernet0/0/0)
Source(2) 2.2.2.2 (GigabitEthernet0/0/0)
Destination(1) 3.3.3.3 (5000)
Destination(2) 4.4.4.4 (5000)
Version 5 flow records
95155816 flows exported in 80267837 udp datagrams. I've gathered further info on this task:

First one goes to vendor 1, second one goes to vendor 2. Vendor 2 basically wants us create a second netflow to another collector, while still keeping the first one active. That's so as not to affect the ongoing data collection. However, while trying to configure it, I got a message saying something like "Exceeded maximum export destinations". I discussed with vendor 2 and they told me it's most probably a limitation on the ASR - whereby it can only support a maximum of 2 netflows.

I read more about netflow after your reply and found that there's indeed a limitation on the number of netflows. There's a maximum of 2 which can be configured. However, I'm still not sure where this is the limitation from. Based on your reply, it should be netflow v5's limitation, which kinda makes sense to me. I found that I can also configure something called random sampled netflow - not sure how this works, and how different it will be from the current setup.

I know I can't have full netflow and random sampled netflow enabled on one interface at a time. Does that mean that if I enable random sampled netflow, I will have to reconfigure the netflow to both vendor 1 and 2?

Right now, vendor 2 is in discussion to decide whether they should remove the current netflow before configuring a new one.?

Unfortunately my CCNA covered only basic netflow, and I since it's the first time i'm being asked to look into this, I have no idea on how to use the options that I have, other than basic netflow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco