NetFlow is not equal to NetStream

NetFlow and Netstream are tools for monitoring, collecting traffic statistics, and they have the same tasks, but their implementations are different. Recently, we considered a case when, after integrating several Huawei hardware into an existing Cisco network, Netstream was configured on Huawei similarly to the NetFlow configuration on Cisco, but the traffic from Huawei was considered a hundred times less than the amount that Cisco sent to it:

—-Cisco router —>100 packets —> router Huawei AR6280 —>1 packet—-

We monitored this phenomenon on the spot in the network, where there was a direct channel between Cisco and Huawei via 100Mbps optics, that is, the incoming traffic of the first router was the outgoing traffic of the other. The network engineer noticed: “The packets were looked at by Wireshark from both sides – everything is standard, the CFLOW protocol, version 5, the fields are identical, the data size was transmitted by the number of octets, with the only difference being that packets with the same number of PDUs came from Cisco – 30 pieces , and with Huawei, the packet could have 18.12, in general, a different number of PDUs. No aggregation modes were enabled on Huawei, Huawei sent the same information as Cisco in octets, but at the same time with the same load for every 5 -7 packets (meaning NetFlow packets) from Cisco (with 30 pdu each) 1-2 packets come from Huawei with different and fewer pdu”.

First, a version was put forward to configure through the policer. But it is known that the policer is used to reduce the number of packets in a stream, or to measure only certain traffic, while it was necessary to monitor how much traffic was generated in the original amount (exporting of ipv4 original flow statistics) with default timers.

Further, to check that Huawei did not drop traffic, an experiment was conducted when a 10GB ISO file was sent from one of the PCs to the server via the mentioned Cisco-Huawei channel. The file arrived intact. This prompted the idea that it was in the settings for collecting statistics.

The Huawei product documentation mentions that by default, only every 100th packet is collected on Huawei AR routers.

“By default, the packet-based regular sampling is used. The default packet sampling ratio is 100.”

At the same time, on other products it can be every 1000th package.

To change this – in the interface view on the AR6280 we specify 1 instead of the default 100:

undo ip netstream inbound
ip netstream sampler fix-packets 1 inbound
ip netstream inbound

Presumably, this behavior may be related to the technical features of chips and processors, and the risks of their excessive utilization in scenarios that vendors usually do not talk about openly, or do not themselves know, therefore, they insure themselves by setting such threshold values ​​initially.

More details in the investigation from Astar – netflow analyzer data from Cisco and Huawei differ by 2 orders of magnitude

Similar Posts

Leave a Reply