[flow-tools] Catalyst 6509's && GSR/Juniper

Clayton Fiske clay@bloomcounty.org
Tue, 10 Dec 2002 10:00:12 -0800 

On Tue, Dec 10, 2002 at 05:32:25PM -0000, Darren Smith wrote:
> If it still doesn't work properly, i've been looking at upgrades to Cisco
> 7600's at the network edges or potentially GSR/JUNIPER equipment.
> 
> Is there anything I need to be aware of from a Netflow Accounting Point Of
> View on GSR/Juniper platforms? Or do the exports happen the same as regular
> cisco routers?

I can't speak for the latest Ciscos, but traditionally Netflow on
Cisco tracks flows (complete one-way sessions from start to finish)
and reports them once they are completed. This is not the case on
Juniper, which has no concept of a flow. Instead, you specify a
sample rate, N, and one out of every N packets is counted and reported
as an individual flow. You can then use either your flow collector or
your graphing utility to scale up your traffic graphs by N to make
them reflect accurate numbers. We do this on our network and it works
quite well. Just keep in mind the differences. Your "longest flow" in
this case will never be more than the MTU of the interface being
sampled, because each flow is only a single packet.

For example, you could set the sample rate to 1 which would sample
every packet. However, even then each packet would be reported as its
own flow rather than all packets matching a session being reported as
one flow. Your sample rate should be determined by a few factors:

- CPU resources of the router

Sampling takes CPU power on a Juniper, unlike packet forwarding. If
your CPU is too busy trying to sample every single packet, you could
cause problems for other CPU-based processes on the router (such as
dynamic routing protocols).

- Utilization of the interface(s) being sampled

This is partly for CPU reasons (see above) and partly because of the
design of a Juniper. There is a 100baseTX connection between the
routing engine (CPU) and the line cards/switching fabric. Any sampled
packet's header will be transmitted up this link for processing by
the routing engine. If you try to sample too much data, you will find
yourself losing data due to hitting the protective limit on sampling
traffic. I believe it is 7000 packets/sec, but I'm not positive.

- The amount of granularity you need in your data

This is partly dependent on the total amount of data traversing the
router. If you are passing several gigabits for example, you really
don't need to sample every packet to have a very good idea of what
traffic is going where. If you generally only pass a few hundred
kbits/sec or your traffic load consists of many, many different small
data streams then you may wish to sample more in order to see a more
accurate indication of where your traffic is going.

Hope this helps.

-c