Frequently Asked Questions about Netflow on the DFE N-Series

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 7485 

Products
DFE
Matrix N-Series
Firmware 5.31.17 and higher 

Discussion
  1. What defines the destination for the exported Netflow records?
     
    There is no default destination IP address, and the default destination UDP port is 2055. However, the destination IP address and optionally the UDP port may be configured. These parameters may also be viewed.
     
  2. Are records for ICMP exported? Is an ICMP flow terminated immediately or do they persist for a configurable period of time?
      Is there a record exported when the flow is terminated?
       
      There is no unique Neflow processing for ICMP or any other types.
        As long as we have a hardware connection established for that flow we generate records as described below.
         
      • How long do flows for UDP persist? Are records exported at the beginning and the end of the flow?
         
        Nothing unique for UDP.
          All flows exist until they age out or are torn down by firmware (see reply to #3).
            Netflow records are generated in 2 ways:
            1. Flow ends (aged or is torn down).
            2. Via active timer mechanism. This is a configurable parameter.
                It defines that if a flow is active for X minutes we will generate a netflow record for that flow every X minutes. This defaults to 30 minutes, and can be set as low as 1 minute. So if a flow is active for 75 minutes, we will generate a record at 30 minutes, another at 60 minutes, and another at 75 minutes (when it ages out). Each record will have the stats for the period it covers.
               
            3. What specifically triggers the creation and tearing down of a TCP flow? SYN with no accompanying ACK, at the beginning? A RST or FIN at the end? Does Netflow operates bidirectionally?
               
              The DFE does not pay attention to TCP options when creating/tearing down flows.
                Flows (TCP or not) are created when a packet has the MAC DA learned on a port, and there are no rules to prevent that packet being switched to that port.
                  The layer of the flow (L2/L3/L4) will depend on which apps (routing, policy, etc) are active.
                    But, the flow establishment is still based on old-fashioned learning of the MAC addresses.
                      Flows are torn down in 2 ways:
                      1. Age out. This happens when no packet has hit the flow in 40 seconds.
                      2. Explicitly torn down by firmware. This happens when a rule that went into the formation of the flow has changed. Example would be destination port going into STP non-fowarding, policy rule changes, etc. Netflow operates ingress only.
                          So for a conversation from fe.1.1 to fe.1.2; if you enable netfow on fe.1.1, you will only see flows going from fe.1.1 to fe.1.2. If you also enable on fe.1.2 you will then see both directions. Note - there are no limits on the number of ports you can enable.
                         
                      3. Is the 256 MB memory option a mandatory requirement to run Netflow export?
                         
                        Yes, 256MB is mandatory.
                          Release notes state: "The use of the Netflow feature requires 256 MB of DRAM on ALL modules in the chassis."
                            Slot modules not already running 256 MB of SDRAM (per 'show system hardware' output) will need to have a DFE-256MB-UGK memory kit installed.
                             
                          • Can Netflow be configured to run on any port, regardless of whether or not the port is configured for any Layer 2 or Layer 3 activity?
                             
                            Yes, L2/L3 can be used.
                             
                          • Are there any restrictions for Netflow regarding tagged vs. untagged VLANs?
                             
                            No.
                             
                          • Does Netflow look at every packet/flow, or does only do sampling? If sampling, what the sampling frequency?
                             
                            It looks at every packet/flow. There is no sampling.
                             
                          • What is the maximum number of Netflow entries supported?
                             
                            The DFE is capable of supporting a Netflow record for every flow in its system. 64K per packet processor in Platinum and 128K per processor in Diamond. Typical blades have at least 3 packet processors per blade. So...
                            • 3 x 64K = 192K records/slot Platinum, 7 slot chassis x 192K/slot = 1.3M Records in N7 Platinum
                            • 3* 128K= 384K records/slot Diamond, 7 slot chassis x 384K/slot = 2.7M Records in N7 Diamond
                             
                          • Can you provide a sample configuration for enabling Netflow collection? 

                            set netflow cache enable
                            set netflow export-destination 10.10.1.1
                            set netflow export-interval 1
                            set netflow export-version 9
                            set netflow template refresh-rate 600 timeout 1
                            set netflow port ge.1.* enable

                          See also: 11093, 12336, 12525, and 13584.
                          Photo of FAQ User

                          FAQ User, Official Rep

                          • 13,620 Points 10k badge 2x thumb

                          Posted 5 years ago

                          • 0
                          • 1

                          There are no replies.

                          This conversation is no longer open for comments or replies.