Flexible NetFlow—Prevent Export Storms

The Flexible NetFlow—Prevent Export Storms feature uses export spreading to prevent export storms that occur due to the creation of a synchronized cache. The export of the previous interval is spread during the current interval to prevent export storms.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Flexible NetFlow—Prevent Export Storms

Flexible NetFlow—Prevent Export Storms Overview

The Flexible NetFlow—Prevent Export Storms feature prevents export storms at a NetFlow Collecting (NFC) device, especially when multiple Flexible NetFlow (FNF) entities are configured to export FNF records to the same NFC at the same synchronized wallclock time. Export storms occur due to the creation of the synchronized cache type. Export spreading reduces the severity of export storms and mitigates their impact.

Synchronized cache with spreading requires adding the interval timestamp field for the synchronized cache. When no spreading is configured, it is recommended to add the interval as a key, but the configuration is not rejected to maintain backward compatibility. If no export spread is specified, the default behavior is immediate export. The spread time must be smaller than half of the interval. Therefore, it will be set to half the interval time or to the configured spread interval, whichever is lower (but not lower than 1 second).

You must not enable spreading when the interval sync timeout is lower than 10 seconds (5- second spreading). This requirement comes from the need for asynchronous monitors to aggregate the data within a few seconds. Spreading might start a couple of seconds after the interval ends in order to complete the aggregation. If a synchronized interval value is lower than 10 seconds, no spreading option is visible in the command-line interface (CLI). The default spread interval, if unspecified, is 30 seconds. The maximum synchronized interval timeout value is 300 seconds. For native FNF monitors, the maximum synchronized interval timeout value could be larger. The rate calculation is provisioned as follows:
  • The simple implementation is a constant rate based on the cache-size/spread-interval.
  • An improved implementation is based on the current-previous-interval-cache-size/spread-interval. This provides better results when the cache is not full.

The NetFlow/IPFIX header timestamp is set to the time when the record leaves the device (and not when the record leaves the NetFlow cache). The timestamp fields in the record itself capture the timestamp of the packets and are accounted for in the NetFlow cache. A new, implementation-driven concept of a “small interval” is now implicitly introduced and understood to be directly in contrast with the concept of a “large interval”. The “large interval” can be thought of as simply the sync interval as configured by the CLI. This is the interval at the beginning of which the entire export process is to be initiated. It corresponds to the "synchronized interval" that is driven and defined by the CLI. At the beginning of a “large interval”, we must take the number of records in the cache and divide that number by the number of seconds available in which to export these records, thus yielding the calculated or derived quantity of “records per second”.

For example, if there are 100,000 records in the cache and 100 seconds in which to export these records, we would calculate and store the value 1000 records/second. Because this quantity is expressed in seconds, it follows that we will need to count the records exported in small intervals that are one second in duration.

This then, implicitly, defines the notion of a “small interval”, which is, to be succinct and equal to one second. Combining this idea of small and large intervals with the need for a state or context, it quickly becomes evident that a timer thread must be able to discern if it is beginning a “small interval” or a “large interval”.

How to Configure Flexible NetFlow—Prevent Export Storms

Configuring Flexible NetFlow—Prevent Export Storms

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    flow monitor type performance-monitor monitor-name

    4.    cache type synchronized

    5.    cache timeout synchronized interval export-spread spread-interval

    6.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example: 
    Device> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 flow monitor type performance-monitor monitor-name


    Example: 
    Device(config)# flow monitor type performance-monitor my_mon
     
    Creates a flow monitor and enters flow monitor configuration mode.
    • This command also allows you to modify an existing flow monitor.
     
    Step 4 cache type synchronized


    Example: 
    Device(config-flow-monitor)# cache type synchronized
     

    Configures the cache type for a Performance Monitor flow monitor.

     
    Step 5 cache timeout synchronized interval export-spread spread-interval


    Example: 
    Device(config-flow-monitor)# cache timeout synchronized 12 export-spread 5
     

    Configures export spreading.

     
    Step 6 end


    Example: 
    Device(config-flow-monitor)# end
     

    Returns to privileged EXEC mode.

     

    Configuration Examples for Flexible NetFlow—Prevent Export Storms

    Example: Flexible NetFlow—Prevent Export Storms Configuration

    The following example shows how to enable and configure export spreading and prevent export storms where the synchronized interval timeout value is 12 seconds and the export spread interval is 5 seconds:

    Device> enable
Device# configure terminal 
Device(config)# flow monitor type performance-monitor my_mon
Device(config-flow-monitor)# cache type synchronized
Device(config-flow-monitor)# cache timeout synchronized 12 export-spread 5

    Additional References for Flexible NetFlow—Prevent Export Storms

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    Flexible NetFlow commands

    Cisco IOS Flexible NetFlow Command Reference

    Technical Assistance

    Description Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​support

    Feature Information for Flexible NetFlow—Prevent Export Storms

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Feature Name

    Releases

    Feature Information

    Flexible NetFlow - Prevent Export Storms

    Cisco IOS XE Release 3.11S

    The Flexible NetFlow—Prevent Export Storms feature uses export spreading to prevent export storms that occur due to the creation of a synchronized cache. The export of the previous interval is spread during the current interval to prevent export storms.