[c-nsp] Sampled netflow on 6500/7600

Tim Stevenson tstevens at cisco.com
Sat Jul 1 20:25:53 EDT 2006 

Sampled NF won't buy you anything WRT the TCAM utilization, there is 
no impact whatever on the TCAM when enabling sampling, it only 
reduces the amount of load on the CPU & collector because less data 
is being exported.

The only ways to scale NF with many flows today are:
- more agressive aging
- add DFCs

However, both of these will increase the CPU utilization as you try 
to age/export all those flows, so there is a tradeoff and you may or 
may not be able to find a happy medium in your network.

Per-interface NF is on the roadmap, which will *only* enable NF entry 
creation for the specified interfaces rather than all interfaces as 
it is today.

Tim

At 07:28 PM 6/30/2006 -0400, Matt Stockdale uttered:
>Hmm, I'm seeing a non-trival tcam load on even less traffic, but I have
>a non 3bxl 720
>
>Summary of Netflow CAM Utilization (as a percentage)
>====================================================
>TCAM Utilization             :   26%
>ICAM Utilization             :   0%
>
>Of course, I'm doing v5 peer-as export, but it's only on a few hundred
>Mbps of traffic. (edge router)
>
>I guess that's not very helpful, but maybe it can confirm your suspicion
>that you'll need to move to sampled netflow.
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard A
>Steenbergen
>Sent: Friday, June 30, 2006 6:39 PM
>To: Bill Nash
>Cc: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] Sampled netflow on 6500/7600
>
>On Fri, Jun 30, 2006 at 06:24:03PM -0400, Bill Nash wrote:
> >
> > I'm not going to even pretend to have your level of expertise here,
> > but I'm only seeing one or two percent tcam utilization on a
> > moderately loaded 6509. I suppose it's also possible that even though
> > I'm configured in such a manner that I'm still pulling 15 to 16 gigs
> > of raw flows out of my network on a daily basis, I'm still doing it
>wrong.
>
>Well just to clarify, by moderate load I mean something like:
>
>      Forwarding engine load:
>                      Module       pps   peak-pps
>peak-time
>                      5        1489010    2542352  13:05:48 EDT Sun May
>21 2006
>
>show fabric utilization all:
>  slot    channel      speed    Ingress %     Egress %
>     1          0        20G           17            6
>     1          1        20G           15           12
>     4          0        20G            5           10
>     4          1        20G            8           16
>     5          0        20G            0            0
>
>Aka nowhere close to "large volumes of traffic", but not completely
>empty, just a typical aggregation box pushing typical internet traffic.
>
>Summary of Netflow CAM Utilization (as a percentage)
>====================================================
>TCAM Utilization             :   72%
>ICAM Utilization             :   0%
>
>Destination flowmask only, v4 sampling only, v5 export, etc.
>
>--
>Richard A Steenbergen <ras at e-gerbil.net>
>http://www.e-gerbil.net/ras
>GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
>2CBC) _______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list