Table Of Contents
Release Notes for Cisco Multi NetFlow Collector, Release 6.0
September, 2007, OL-12884-01
These release notes provide information about features in the Cisco Multi NetFlow Collector 6.0 release. Multi NetFlow Collector (MNFC) is a second-tier application of the NetFlow Collector architecture. MNFC imports the data files resident on multiple Cisco NetFlow Collector (NFC) servers. MNFC performs network-level correlation and provides a central view for all distributed NFC servers in the network.
Note Cisco MNFC supports only Cisco NFC Release 6. It does not support previous NFC releases. Cisco MNFC and NFC must run on separate servers.
This release note contains the following sections:
Cisco NetFlow Collector, Release 6.0 introduces a tiered NetFlow collection architecture that provides increased scalability and performance. The role of the first tier (Tier 1) maps to the NFC functionality of Cisco NetFlow Collector 5.0.3 with the addition of new features described in these Release Notes.
NetFlow services consist of high-performance IP switching features that capture a rich set of traffic statistics exported from routers and switches while they perform their switching function. Cisco NetFlow Collector provides fast, scalable, and economical data collection from multiple export devices exporting NetFlow data records.
Cisco NetFlow Collector, Release 6.0 supports new Cisco NetFlow Collector Tier 2 functionality, also referred to as Multi NetFlow Collector (MNFC). MNFC imports the data files resident in multiple NFCs and performs network-level correlation and provides a central view for all distributed Cisco NFC implementations in the network.
Cisco MNFC supports only Cisco NFC Release 6. It does not support previous NFC releases. Cisco MNFC and NFC must run on separate servers.
Features in This Release
Multi NetFlow Collector, Release 6.0 includes the following features:
•Importing of data files from multiple Cisco NFCs to its server to perform network-level correlation, a central view of end-to-end traffic summaries, and classification information.
•PE-PE, PE-CE, CE-PE, and CE-CE data collection providing traffic statistics between two IP networks
•Web-based user interface for configuration, reporting, and control
•Ability to generate the following types of reports:
–VPN traffic summary
Cisco MNFC supports only Cisco NFC, Release 6.0. It does not support previous Cisco NFC releases. Cisco MNFC and NFC must run on separate servers.
The following sections describe requirements for Cisco Multi NetFlow Collector, Release 6.0.
Note The CPU, RAM, and disk space recommendations listed are minimum requirements. Your actual requirements are determined by your configuration and by the volume and uniqueness of NetFlow data that is received. Actual resource usage can vary greatly depending on these factors.
Supported Operating Systems and Platforms
Multi NetFlow Collector, Release 6.0 supports the following operating systems and platforms:
•Solaris 8, 9, or 10 on a midrange server, such as the Sun Fire V490 with Quad UltraSPARC IV 1.5 GHz processors.
•Red Hat Enterprise Linux 3.0, or 4.0 (ES and AS) on a midrange server, such as an IBM x346 with a single dual-core Intel Xeon 3.8 GHz processor.
Note To serve as the concentrator in a scalable NetFlow solution, the workstation should be dedicated to the Multi NetFlow Collector and should not be running other applications.
The Multi NetFlow Collector, Release 6.0 has the following hardware requirements:
•Minimum of 16 GB RAM, 10K SCSI, dual 70 GB disk, and dual processor on an midrange-level server.
The Multi NetFlow Collector, Release 6.0 web-based user interface is compatible with Microsoft Internet Explorer 6 and Mozilla Firefox 1.5 or greater on Windows or UNIX. The web-based UI requires that the browser support a Java virtual machine (JVM) to run applets.
Note The Sun JVM must be used; the JVM version must be 1.5 or higher. You can download Sun JVM 1.5 from the website http://java.sun.com/javase/downloads/index.jsp.
A license file is required for each host running Cisco Multi NetFlow Collector, Release 6. The license is specific to the IP address of the host. You can obtain a permanent license at:
Note The licensing URL referenced in error logs in the mnfc.log file is incorrect. In order to obtain a license, you must use http://www.cisco.com/go/license.
You must have the IP address of the host on which Multi NetFlow Collector will run. To obtain a permanent license, you must also have the PAK you received after purchasing Multi NetFlow Collector. After you enter the information, a license file is emailed to you. Copy the license file or its contents with no alterations to /opt/CSCOmnfc/config/mnfc.lic.
The first line of the license file contains either the demo expiration date or the word permanent for a permanent license, and the IP address of the host to which Multi NetFlow Collector is licensed.
If the host running Multi NetFlow Collector has more than one network card and IP address, specify the IP address associated with the hostname when licensing the product.
Note By default, Red Hat Enterprise Linux associates the system hostname with the loopback address 127.0.0.1 in /etc/hosts. However, for licensing to function properly, the hostname must be associated with the host's IP address. Edit the /etc/hosts file by removing the hostname from the loopback address entry and adding an entry for the licensed IP address.
The file /etc/nsswitch.conf is normally configured so that hostname lookups are first obtained from files (/etc/hosts).
The Multi NetFlow Collector Release 6.0 contains a known limitation when a single report contains more than 10000 records. If you have a single report that exceeds this current limitation, while viewing the report you might see an OutOfMemory error and your web browser session might be halted.
Daylight Saving Time Updates for MNFC
Multi NetFlow Collector's time zone data is include in the bundled Java Runtime Environment (JRE). By default, the MNFC 6.0 JRE contains Olson time zone data tzdata2006k.
Time zone data should be updated using the TZupdater tool when MNFC is installed and whenever local Daylight Saving Time rules change. For details on updating the JRE Time zone data, see Appendix B, "Updating JRE Time Zone Data" in the Cisco Multi NetFlow Collector Installation and Configuration Guide:
Table 1 lists the problems that were resolved since Cisco Multi NetFlow Collector, Release 6.0 was released for early field trials.
Known Limitations and Problems
This section contains information about the limitations and problems known to exist in the Cisco Multi NetFlow Collector, Release 6.0 product.
CSCsg39901—MNFC: required fields (such as timestamp) should be selected by default.
Description: Summarizations and correlators require the use of the Timestamp Key Field. In the MNFC UI, the Timestamp Key Field for summarization and correlator definitions is selected. Nothing prevents you from deselecting the Timestamp Key Field, resulting in a summarization/correlator instance with an invalid definition.
Workaround: Make sure that the Timestamp Key Field is selected in the Configuration > Specify Correlator or Configuration > Specify Summarization window.
CSCsg79456—MNFC: Second active browser pop up for Trending report.
Description: If either key or value on trending report is not selected, an error message will display but at the same time a second active browser appears. This additional browser should not be allowed. If you click on the second browser without correcting mistake, another error and a third browser will display.
Workaround: Manually close the extra browser window.
CSCsg85282—MNFC: Report filter is incorrect when the radio button is selected.
Description: When generating a report, select the radio button for IP 0.0.0.100. Add a filter on srcaddr: 0.0.0.215. Click filter. The report filters on 0.0.0.100 and not 0.0.0.215.
Workaround: Recreate report to apply another filter address.
CSCsg95499—MNFC: Filter does not apply to plot for trending report.
Description: When applying a filter to a trending report and then creating a plot of the filtered data, the plot is the same as a plot created from the unfiltered report.
Workaround: None at this time. Contact support.
CSCsg95525—MNFC: Bar graph can not be plotted for filtered trending report.
Description: Bar graph on filtered trending report can not be plotted. The result is a page displaying Result ID, start time, and end time on the left and an x on the right side of the page. No graph is displayed.
Workaround: None at this time. Contact support.
CSCsh06772—MNFC: Blank page shown for TopN, Trending without data source.
Description: If you install MNFC and proceed to click on the different report folders visible from Report > Report Specs such as CE-CE or PE-PE before configuring anything, the basic Report configure page displays along with a message saying that there is no data source. However, if you select Top N or Trending a blank page. displays. No message displays.
Workaround: None at this time. Contact support.
CSCsh23411—MNFC: Trending plot y-axis values vary with data period.
Description: Set up first tier collection with five minute period. Collect the first tier data in second tier with 15-minute period summarization. Run a trending report on the primary data, and compare with trending report for summarization data. The y-axis values in the report run on 15-minute summarized data are three times that of the 5-minute primary table data. The y-axis values plotted over time should not depend on the specified collection period.
Workaround: None at this time. Contact support.
CSCsh25265—MNFC: Start time of scheduled job can not be edited.
Description: You click the View Job link for a particular report in the scheduled reports window and edit the At field. After clicking Submit, the At field does not display the changed value and no error messages is displayed.
Workaround: Schedule a job with new start time using the same report spec, then delete the old scheduled job.
CSCsh52340—MNFC: transport change from ftp to sftp and vice versa.
Description: Change in transport from FTP to SFTP or vice versa does not take effect unless the concentrator is restarted.
Workaround: After changing the FTP or SFTP setting for collector(s), restart the Concentrator process from the Status > Control Processes window by clicking Start concentrator.
CSCsh52348—MNFC: symbolic link creation for data file.
Description: If the path for Data files is not $NFC_DIR/Data, upload on MNFC fails.
Workaround: Create a symbolic link from new location on the data file to $NFC_DIR/Data. For example, the new location for the /Test symbolic link will be ln -s /Test $NFC_DIR/Data .
CSCsh88906—MNFC: Collector Status > T.diff is not working as intended.
Description: From the Status > Collector Status > View File Transfer Status by Collector window, the T.diff, sec column displaying the estimated time difference between the MNFC server and the 1st tier NFC might display inaccurate (very large) values.
Workaround: None at this time. Ignore the T.diff, sec readings and verify the clock's discrepancy between the MNFC and the 1st tier NFC manually using date commands from the shell prompt.
CSCsi09460—MNFC: NO error flagged when option on tier1 is changed to not sorted.
Description: The Summarization table with the Top N Values storage method contains only a subset of the data loaded or no data is uploaded at all. Since the last Metadata Transfer was completed on the 1st Tier NFC Collector, the configuration on the 1st tier has been changed so that the Aggregator Sort Output is not selected.
Workaround: Make sure that the Sort Output check box is selected in the Modify Aggregator window for aggregators on all NFCs supplying records to the MNFC Aggregator to be used by the Summarization in question.
CSCsi10612—MNFC: Error Domain summarization already contains instance.
Description: Submission of a newly specified configuration instance like summarization or correlator fails and the error message Domain summarization already contains instance displays.
Workaround: Do one of the following:
–From the instance definition window, click Discard after getting the error popup to purge the instance from the back-end cache and then specify the instance again.
–Restart the Concentrator process from Status > Collector Processes > Network Concentrator Process.
CSCsi53207—MNFC: Rows per page gets blank on config screen.
Description: If the number of MNFC configuration entities of the same component type (Collectors, Aggregators, Summarizations, Datasources, or Correlators) exceeds 10 instances, the Configuration > View Component window for that component type displays only 10 instances. You cannot increase the number of instances displayed (Rows per page) and clicking Go to display the next page displays a blank window.
Workaround: If the number of configured instances of the same component type exceeds 10, use the navigation tree on the left-hand side of the MNFC UI panel to navigate to the desired instance.
CSCsi55888—MNFC: CSCOmnfc start all displays an exception message.
Description: During a manual MNFC startup using the scripts startmnfc.sh or cscomnfc, the following message is displayed:
Exception in thread "Timer-4" java.lang.ClassCastException: com.cisco.mnfc.db.Re cordManager at com.cisco.mnfc.db.StorageManager.insertFile(StorageManager.java:1439) at com.cisco.mnfc.db.StorageManager$FileDetector.run(StorageManager.java :1415) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462)
Workaround: No action is required. There is no functional impact aside from the message.
CSCsi62593—MNFC: Available key field gets re-populated for correlator.
Description: When you try to create a correlator without selecting any values and click Submit, the correlator is not created and error message is correctly displayed, but the keys from Selected panel gets re-populated in the Available keys area.
Workaround: Discard the correlator definition and define a new correlation with values specified.
CSCsi65800—MNFC: restart can cause loss of period with code 858.
Description: Operation ATTACH fails on fragment of NFC data table and the SQL failure is logged into nfcdb.log as an Exception with code -858. One period of NFC data is lost: either the summarization/correlator period or a portion of the primary (aggregated) data, depending on which table is affected.
Workaround: To prevent losing of data for a period of time during which MNFC is restarted, delete the old records file <entity-id>_$a manually before restarting MNFC.
Use these Release Notes with the Cisco Multi NetFlow Collector Installation and Configuration Guide, Part Number OL-12883-01 and the Cisco Multi NetFlow Collector User Guide, Part Number OL-12885-01. These documents are available online through Cisco Connection Online at the following URL:
MNFC 6.0 contains Informix IDS9.40 from IBM as an embedded relational database. The set of IBM Informix documentation can be accessed online at:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
This document is to be used in conjunction with the documents listed in the Related Documentation section.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.