[c-nsp] Cisco 6500/7600 netflow questions

Jared Mauch jared at puck.nether.net
Mon Nov 13 10:04:32 EST 2006 

On Mon, Nov 13, 2006 at 09:56:36AM -0500, Phil Bedard wrote:
> That's really the  meat of my question.  With the sampling enabled on  
> all of our ingress interfaces, what exactly is being exported?
> On the software-based platforms the sampling builds the netflow  
> tables, on the 6500/7600 there is the hardware MLS netflow cache  
> which is
> always active.

	And is tiny.

	Even with the increased size you get on the XL hardware,
any reasonable amount of L3 traffic will kill that table space and
you'll see netflow creation failures.

	- jared

> On Nov 13, 2006, at 9:48 AM, Adam Powers wrote:
> 
> > Unless you’re trying to cut down on network load from NetFlow  
> > packets or you’re collector can’t handle it, you’re better off NOT  
> > using sampled NetFlow on the 6500.
> >
> > To my knowledge (unless something has changed) the 6500 doesn’t  
> > actually sample in the same way as that of the GSRs. The cache is  
> > fully populated as in “full NetFlow” and then sampled on export.  
> > That is, the cache contains all normal NetFlow data (which is what  
> > you’re seeing) but the exported records contain only 1 in <whatever>.
> >
> > There is no performance gain for the 6500. In fact, the process of  
> > sampling the cache on export adds additional overhead.
> >
> > -- 
> >
> > Adam  Powers
> >
> >
> >
> > On 11/13/06 9:32 AM, "Phil Bedard" <philxor at gmail.com> wrote:
> >
> >>        We are currently using sampled netflow on our 6500/7600s using
> >> 12.2SXF and I have a few questions about
> >> sampled netflow on those boxes.   My question is what is being
> >> populated when the packets are sampled, and at the export
> >> interval, what exactly is being exported.   I can do a show ip cache
> >> flow (or show mls netflow ip) and see entries with
> >> packet counts in the 25-100 range, but none of the flows I see
> >> exported have more than 2 packets reported.
> >>
> >>         Is it sampling packets between export intervals, adding them
> >> to a cache to be exported, and then flushes that cache
> >> on export?
> >>
> >> Phil
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> 
> Phil Bedard
> philxor at gmail.com
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list