hi support .
i have cisco ASR 1002
i created a net flow config to match all the ip traffic as below :
=======
flow exporter me_nfa_analyzer
destination 66.12.64.29
transport udp 9996
flow record ALL
match transport tcp destination-port
match transport tcp source-port
match transport udp destination-port
match transport udp source-port
match ipv4 destination address
match ipv4 source address
collect counter bytes
collect counter packets
================
flow monitor ALL
record ALL
exporter me_nfa_analyzer
cache timeout active 60
int port channel 2
ip flow monitor ALL input
======
from settings above i guess I'm matching all TCP & UDP .
but in reality i see thee is about 300Mbps difference when i see the result from net flow & SNMP.
snmp is more accurate and has value more than 200-300 from the value i see from the net flow .
is there something i need to check ?
is my rules above match all the ip traffic ?
thanks
on PRTG choose Version .
Article Comments
i did compare . the result is not same in total volumes in SNMP its more than Netflow !!
Feb, 2017 - Permalink
Dear drvirus,
Please open a new support ticket for this issue (using TicketID PAE828544) and forward us screenshots of the NetFlow and SNMP Sensor on which you are referring to. We need the tabs "Overview", "Log", "Settings" and "Live Data" from both sensors.
Additionally, please set the "Active Flow Timeout" in the sensor setting to be one minute larger than the one used on the device (for more information please see this article).
Best regards,
Sven
Feb, 2017 - Permalink
ok i will check that tonight and let you know
but i have more question now
say i want to monitor for 3 subnets as below : IP[x.x.65.0/24] IP[y.y.108.0/24] IP[z.z.111.0/24]
i tried to add them line by line , but PRTG didnt accept it.
if i add 1 line as ==> IP[x.x.65.0/24] it accept it !!
but again i need to monitor like 3 subnets as above , how can i add 3 subnets in filter ?
thanks
Feb, 2017 - Permalink
Dear drvirus,
Please use logical operators to combine your 3 subnets.
For instance:
- IP[x.x.65.0/24] and IP[y.y.108.0/24] and IP[z.z.111.0/24]
- IP[x.x.65.0/24] and (IP[y.y.108.0/24] or IP[z.z.111.0/24])
- IP[x.x.65.0/24] or IP[y.y.108.0/24] or IP[z.z.111.0/24]
Best regards,
Sven
Feb, 2017 - Permalink
Dear drvirus,
Thank you for your KB-post.
Kindly note, that we cannot support you in configuring your device nor check if the configuration of your device is correct, I´m afraid.
However, comparing the results of different monitoring protocols is always tricky. The current speed values should not be compared (especially not spikes or peaks), they can differ too much alone due to the active flow timeout.
Furthermore, please bear in mind that SNMP also accounts the Netflow packets, which Netflow itself does not, it only tells you about the actual 'payload'.
However, if you compare the volumes, for at least full hours or even full days, the volumes should be very similar between SNMP & Netflow. So could you please compare the volumes for one hour? Are they similar?
Best regards,
Sven
Feb, 2017 - Permalink