[c-nsp] network design for NetFlow
Sam Stickland
sam_ml at spacething.org
Thu Aug 19 15:00:06 EDT 2004
On Tue, 17 Aug 2004, Burton Windle wrote:
> I am trying to figure out how to gather NetFlow info for data on my
> internet pipe. My network is designed as such:
>
> ISP
> |
> |
> Cisco router
> |
> |
> PIX Firewall
> |
> |
> Core network (6509)
>
> The PIX doesn't appear to support exporting Netflow, and the only NetFlow
> data the 6509s appears to spit out is about packets that get punted up to
> the CPU.
>
> The router that is connected to my ISP would work, but because our PIX is
> doing NAT, all traffic from behind it looks like it is from the same IP,
> so that won't help us track down bandwidth abusers.
>
> Without adding any new hardware into the mix, what are my options? I'd
> rather leave my 6509 doing hardware-based switching for obvious reasons.
Was setting this up myself earlier today on a Sup2 and this is what I've
found so far.
I think this will do what you need:
mls flow ip interface-full
! (NB. Version 5 not support be all IOS verions)
mls nde sender version 5
mls nde interface
And then the netflow statements you already have should also export the
flows from the sup2.
Porbably want also tune the aging timers. Start with:
mls aging long 300
mls aging normal 32
And then check:
remote command switch sh earl stati | inc NF_FULL|Name
To see if you are still missing flows, and adjust 'mls aging fast x'
accordingly. Not sure how many flows it is 'OK' to miss. We use 'mls aging
fast 8', which is possibly a bit too aggressive.
I _think_ that ought to continue to do all the switching in hardware, but
I've only tried this so far on a very light loaded 6509 (~80Mbps traffic).
CPU usage on the Sup2 and on the MFSC went up a few percent, but it seems
to be a base-line increase rather than one that's moving with traffic
load, like MFSC punted traffic makes it do.
Hope that helps,
Sam
More information about the cisco-nsp
mailing list