100% Utilization - Analysis
We have had some customers / evaluators who have reported an issue that NetFlow Analyzer is reporting traffic in the excess of 100%. Considering that NetFlow Analyzer reports data with 1 minute granularity, this spikes are clearly noticable, whereas many SNMP based tools show with 5 minute granularity - where values could get averaged out. We are working with some of the customers and also with Cisco's NetFlow team to explain this.
Let me first get the most common reasons out of the way so that I can get to line of analysis that we are taking:
1. The interface speed is not set right and NetFlow Analyzer uses the default speed of 1 Mbps (which may not be the correct interface speed). NFA can determine the interface speed if you set the appropriate SNMP Port and Community for the router (from the Set SNMP Parameters icon on the Dashboard View right next to the router name). Alternately, you can set the interface speed manually (from the Edit Settings icon on the Dashboard View right next to the interface name)
2. The active timeout has not been set to 1 minute
3. Non dedicated burstable bandwith, where the ISP allows you to use over the allocated bandwith depending on the other cusotmers sharing that link
Now to the analysis:
Several instances where this issue has been reported are cases where the customer has T1 line with Ethernet (at about 100 Mbps) and Serial (at about 1.54 Mbps).
It is possible that we are counting non forwarded flows that are being dropped by the output driver queue on the serial interface. Let us assume a set up similar to the below
Data Source -> Router1 Ethernet -> Router1 Serial -> Router2 Serial -> Router2 Ethernet -> Data Destination
What netflow ingress tells us is that data was received and passed IP routing successfully. It does not mean that the router sent the packet physically on the link. So, if data was flowing left to right the correct place to measure link utilisation is on the ingress interface of Router2. You might be measuring the traffic routed by IP to that interface to be sent (and you are sending more than it can take) - this is a useful customer measure - it tells them to buy a new wider link.
We would be more than willing to talk to any customer with who we can explore this theory in a test set up. This is what we could do.
We can step up traffic generation rates and take measures in one direction only with multiple flows creating the overall rate. The rates I can suggest are 0.5 Mbps, 1Mbps, 1.5Mbps and 2 Mbps. We'll call this rate R - repeat the below for each rate R.
1.) Reboot a router to zero all stats. Capture output from "show int serial" for the said serial interface. The same command on the Ethernet would be good as well.
2.) Run at rate R for three minutes only
3.) Capture output from "show int serial" for the said serial interface and see what the interface stats say. Again Ethernet output would be good.
4.) What does NetFlow Analyzer report ?
5.) Jump to step 1 and up R to the next rate.
This would give us hard data to compare NetFlow Analyzer stats with the interface stats.
As stated above, we would be delighted to give a call ANYTIME and walk you through the above exercise to explain this issue.
Let me assure you that we are commited to having the 100% utlization issue resolve at the earliest.
Thanks for your continued support to our product
Raghu
Let me first get the most common reasons out of the way so that I can get to line of analysis that we are taking:
1. The interface speed is not set right and NetFlow Analyzer uses the default speed of 1 Mbps (which may not be the correct interface speed). NFA can determine the interface speed if you set the appropriate SNMP Port and Community for the router (from the Set SNMP Parameters icon on the Dashboard View right next to the router name). Alternately, you can set the interface speed manually (from the Edit Settings icon on the Dashboard View right next to the interface name)
2. The active timeout has not been set to 1 minute
3. Non dedicated burstable bandwith, where the ISP allows you to use over the allocated bandwith depending on the other cusotmers sharing that link
Now to the analysis:
Several instances where this issue has been reported are cases where the customer has T1 line with Ethernet (at about 100 Mbps) and Serial (at about 1.54 Mbps).
It is possible that we are counting non forwarded flows that are being dropped by the output driver queue on the serial interface. Let us assume a set up similar to the below
Data Source -> Router1 Ethernet -> Router1 Serial -> Router2 Serial -> Router2 Ethernet -> Data Destination
What netflow ingress tells us is that data was received and passed IP routing successfully. It does not mean that the router sent the packet physically on the link. So, if data was flowing left to right the correct place to measure link utilisation is on the ingress interface of Router2. You might be measuring the traffic routed by IP to that interface to be sent (and you are sending more than it can take) - this is a useful customer measure - it tells them to buy a new wider link.
We would be more than willing to talk to any customer with who we can explore this theory in a test set up. This is what we could do.
We can step up traffic generation rates and take measures in one direction only with multiple flows creating the overall rate. The rates I can suggest are 0.5 Mbps, 1Mbps, 1.5Mbps and 2 Mbps. We'll call this rate R - repeat the below for each rate R.
1.) Reboot a router to zero all stats. Capture output from "show int serial" for the said serial interface. The same command on the Ethernet would be good as well.
2.) Run at rate R for three minutes only
3.) Capture output from "show int serial" for the said serial interface and see what the interface stats say. Again Ethernet output would be good.
4.) What does NetFlow Analyzer report ?
5.) Jump to step 1 and up R to the next rate.
This would give us hard data to compare NetFlow Analyzer stats with the interface stats.
As stated above, we would be delighted to give a call ANYTIME and walk you through the above exercise to explain this issue.
Let me assure you that we are commited to having the 100% utlization issue resolve at the earliest.
Thanks for your continued support to our product
Raghu