nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: periodic patterns in juniper netflow exports

From: "Fernando Silveira" <fernando.jorge.silveira () gmail com>
Date: Thu, 3 Jan 2008 12:53:31 +0100

hi Roland,

actually I believe the patterns I'm talking about are not caused by
the activity timer.
As fair as I know, the activity timer exports a flow which has been
active for too long. Therefore, it should be counted from the
beginning of the flow (its first packet), right? The patterns I'm
talking about would imply an absolute clock (independent of any flow)
ticking every minute, and flushing the entire flow cache. The result
of this would be the binning effect I mentioned.

The patterns I'm talking about seem really specific to Juniper
routers. I have another set of traces (which I believe come from Cisco
routers) and they don't have the periodic flow export pattern I'm
referring here.

I have two or three plots that show in detailed what I'm trying to
explain, but I'm not sure I can post them here. If you'd like to see
them I can send them to you (or anybody interested) or I could post it
on the web and send you the URL.

Thanks for the quick reply!
Fernando

On Jan 3, 2008 11:42 AM, Roland Dobbins <rdobbins () cisco com> wrote:



On Jan 3, 2008, at 5:57 PM, Fernando Silveira wrote:


 Can anyone tell me if there is such a
timer in JunOS, i.e., flushing the flow cache every minute (or an
interval defined as a parameter)?


I don't know about Juniper routers, but there's such a setting in
Cisco routers, it's called the active flow timer.  If you don't use it
and don't tell your collection/analysis system what setting you've
used (most folks use between 5 minutes for traffic analysis down to
one minute for security-related analysis), you end up with backlogged
stats which aren't chronologically representative of the actual
traffic, and your graphs are all jagged and useless.

My guess would be that Juniper have a similar construct for a similar
purpose.  Most collection/analysis systems of which I'm aware take
this setting into account, as long as you tell them what interval
you're using.  It's generally considered highly desirable to make use
of this functionality, for the aforementioned reasons.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

        Culture eats strategy for breakfast.

            -- Ford Motor Company
Previous By Date Next
Previous By Thread Next

Current thread: