[c-nsp] Re: access-list on C6509 not matching packets

Tim Stevenson tstevens at cisco.com
Tue Feb 14 13:28:27 EST 2006

At 10:05 AM 2/14/2006, Zitibake submitted:
>Thanks for the tips; tcam not showing anything:
>core-4.mpls#sh tcam interface gig 7/2 acl out ip
>     permit       ip any any
>     deny         ip any any
>     deny         ip any any
>...so I will use Netflow.

Ya, prob you have PFC3A then.

>The nice thing about access-lists, is that you will see even one hit to each
>line.  With sampled netflow... who knows what you missed? If I run unsampled
>Netflow (with a gigabit port to my collector), what are the chances 
>that a ddos
>stepping through flows would cause a forwarding issue?

Full NF is independent of forwarding in PFC3, you should see no 
impact to throughput even with a an overflowing NF table (but of 
course, you won't see stats for the excess entries). Aggressive aging 
can help there to some extent.

NF data export though will increase the RP CPU load so if you are 
exporting the flow records as they expire, you could affect your CPU 
or that of the collector.


>   Any ballpark numbers
>for kpps (mpps?).   I remember on the M20, netflow used to crash under load,
>which was both a blessing and a curse.  I can guarantee that the device will
>not receive more than about 1gbps of aggregate traffic.
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list