Fix anomalous spikes in bandwidth utilization graphs in 4 simple steps

    NetFlow Analyzer generates traffic reports based on the NetFlow packets exported from the router. Based on the information in the NetFlow packets, the product displays the traffic passing through the interfaces of the exporting device.

    One issue that is frequently reported is that the traffic utilization shown in NetFlow Analyzer is more than the actual traffic on the interface. Reports showing more than actual utilization or more than 100 % utilization can be resolved quickly by checking a few points on the exporting device and the product.

    Incorrect active timeout

    The traffic reports in NetFlow Analyzer is shown with a 1 minute granularity, ie. NetFlow Analyzer shows details of the traffic for each minute. By default, the active timeout on the NetFlow exporting devices is 30 minutes, which means that the information about the traffic that passed through the interface in the previous 30 minutes is exported at the 30th minute.

    Since NetFlow Analyzer reports traffic every minute, the export of 30 minutes information all at once leads to the product’s reports showing a spike every 30 minutes. The incorrect traffic details for that minute leads to showing incorrect speed which thus leads to wrong utilization calculation. To avoid this, simply check if the active timeout on the router is set to 1 minute using the command "ip flow-cache timeout active 1".

    Multiple NetFlow commands

    NetFlow can be enabled on the router using any one of the three commands:

    1. ip route-cache flow : – This command can be applied on all main interfaces and will automatically enable NetFlow on the sub interfaces too. This command accounts for the IN traffic across an interface.
    2. ip flow ingress :- Some of the newer IOS supports this command which also accounts for the IN traffic across an interface. The difference is that this command needs to be applied on a sub-interface level
    3. ip flow egress :- The same as ‘ip flow ingress’ but this command accounts for the OUT traffic across an interface.

    NetFlow can be enabled on the interfaces of the router by applying any one of the above mentioned command, but most of the netwrok admin enable either “ip flow ingress” or “ip route-cache flow” on the interfaces for traffic accounting. When all these commands are applied on the interfaces, it causes the same traffic to be counted multiple times again causing the product to show incorrect traffic stats and thus incorrect utilization reports.

    Incorrect link speed in NetFlow Analyzer:

    NetFlow Analyzer calculates the utilization based on the link speed. For example, if the link has capability to handle 1 Mbps and the actual traffic passing through an interface is about 512 Kbps, the utilization graph in NetFlow Analyzer displays the traffic percentage as 50 %. Here is the formula which explains the utilization calculation on NetFlow Analyzer.

    Utilization = Actual Speed/Link Speed * 100

    So, if the link speed is not updated properly in NetFlow Analyzer, the utilization shown in NetFlow Analyzer will be different than the actual. NetFlow Analyzer can determine the interface speed if you set the appropriate SNMP Port and Community for the router on NetFlow Analyzer. This can be done from the ‘Set SNMP Parameters’ icon on the ‘Interface View’ right next to the router name or you can set the interface speed manually for each interface on NetFlow Analyzer (from the Edit Settings icon on the ‘Interface View’ next to the interface name). You can refer to this blog for more details.

    Non dedicated burstable bandwidth

    Certain ISPs allows you to use over the allocated bandwidth depending on the other customers sharing that link. So, even though the max bandwidth is 2Mbps, the ISP may allow you to use even more based on availability. This also affects the accurate reporting on NetFlow Analyzer causing incorrect bandwidth utilization values and even more than 100%.

    ESP and GRE traffic

    This is another reason for traffic to get double counted in NetFlow Analyzer. With NetFlow data, the tunnel traffic will be accounted as the normal traffic before encryption and again as the encrypted traffic. NetFlow Analyzer have an option to filter this kind of encrypted tunnel traffic from the reports. This option is available under Product Settings – Advance Settings – ESP or GRE Filter.

    To know more about the about ESP and GRE traffic double count, check this link.

    If none of the above resolves the issue, please find the technical explanation on what could still be causing this:

    Any analyzer tools calculates the OUT traffic of an interface based on the IN traffic of the interface that sends traffic to it. When traffic is passing from higher speed interface to lower speed interface, the calculation of OUT traffic from a higher speed IN traffic causes incorrect traffic utilization to be shown on the OUT traffic.

    The above reason for more than 100 % utilization on OUT traffic can be resolved by enabling only “ip flow egress” on all the interfaces.