periodic patterns in juniper netflow exports

Fernando Silveira fernando.jorge.silveira at gmail.com
Thu Jan 3 11:53:31 UTC 2008


hi Roland,

actually I believe the patterns I'm talking about are not caused by
the activity timer.
As fair as I know, the activity timer exports a flow which has been
active for too long. Therefore, it should be counted from the
beginning of the flow (its first packet), right? The patterns I'm
talking about would imply an absolute clock (independent of any flow)
ticking every minute, and flushing the entire flow cache. The result
of this would be the binning effect I mentioned.

The patterns I'm talking about seem really specific to Juniper
routers. I have another set of traces (which I believe come from Cisco
routers) and they don't have the periodic flow export pattern I'm
referring here.

I have two or three plots that show in detailed what I'm trying to
explain, but I'm not sure I can post them here. If you'd like to see
them I can send them to you (or anybody interested) or I could post it
on the web and send you the URL.

Thanks for the quick reply!
Fernando

On Jan 3, 2008 11:42 AM, Roland Dobbins <rdobbins at cisco.com> wrote:
>
>
> On Jan 3, 2008, at 5:57 PM, Fernando Silveira wrote:
>
> >  Can anyone tell me if there is such a
> > timer in JunOS, i.e., flushing the flow cache every minute (or an
> > interval defined as a parameter)?
>
> I don't know about Juniper routers, but there's such a setting in
> Cisco routers, it's called the active flow timer.  If you don't use it
> and don't tell your collection/analysis system what setting you've
> used (most folks use between 5 minutes for traffic analysis down to
> one minute for security-related analysis), you end up with backlogged
> stats which aren't chronologically representative of the actual
> traffic, and your graphs are all jagged and useless.
>
> My guess would be that Juniper have a similar construct for a similar
> purpose.  Most collection/analysis systems of which I'm aware take
> this setting into account, as long as you tell them what interval
> you're using.  It's generally considered highly desirable to make use
> of this functionality, for the aforementioned reasons.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
>
>         Culture eats strategy for breakfast.
>
>             -- Ford Motor Company
>
>
>



More information about the NANOG mailing list