[c-nsp] Netflow on SUP720-3BXL

Andreas Bourges andy-lists at bourges.de
Sun Mar 15 12:18:19 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


On Sunday 15 March 2009 15:45:30 Andy BIERLAIR wrote:
> I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL
> with SXF15a), but I think I am hitting some limitations because of this:

>   mls aging fast time 5 threshold 32
>   mls aging long 300
>   mls aging normal 60

> Then I have this enabled on all border interfaces/vlans (peering / transit
> / other core routers) that are of interest for my stats:
>
>   ip route-cache flow

This command only affects packets processed by the MSFC - so at least with 
your IOS it doesn't matter if you configured it on all interfaces or only on 
some. Once MLS NDE is activated, it exports all observed flows regardless of 
the "ip route cache flow" command...

You could upgrade to an IOS >= SXH, which lets you enable mls nde on a per 
interface basis - this would (depending on your setup) reduce the amount of 
created flow entries (I suspect...).

> I have heard that more agressive aging might help, but I expect the
> router's traffic and pps to increase dramatically, so I'll be hitting the
> roof over and over again.
>
> I wouldn't mind analyzing only every 10th or 100th flow (sampling), which
> seems to be a common practice, but will it help?

This won't help on 65K/76K, since they only support "flow-sampling" - which 
means all flows are created in the tcam but not all of them are exported to 
the collector (to reduce export load and collector load).

> What is the common netflow setup without additional DFCs for a busy router?

Since you are already equipped with Sup720-3BXL the one thing that can help is 
to set the mls aging timers more aggressive, I suppose. 
If (and I'm not sure about that) per-interface mls nde reduces the created 
flows in the tcam, an upgrade to SXH could help, too...
Another thing would be to set the flow-mask to something different than "full" 
- - which gives you less information but produces less flows, too. Depends on 
your needs.

Regards,

Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm9KksACgkQRrny/uOBVy490wCgiEtIs6b2GDeQiWwxOgp4Pnxg
xi0AmwRN26/oeMbBhCMFFninhmtjW4si
=ERFo
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list