[c-nsp] Sampled netflow on 6500/7600

Bill Nash billn at odyssey.billn.net
Fri Jun 30 18:24:03 EDT 2006 

I'm not going to even pretend to have your level of expertise here, but 
I'm only seeing one or two percent tcam utilization on a moderately loaded 
6509. I suppose it's also possible that even though I'm configured in 
such a manner that I'm still pulling 15 to 16 gigs of raw flows out of my 
network on a daily basis, I'm still doing it wrong.

Catch me off list and we can yammer about it.

- billn

On Fri, 30 Jun 2006, Richard A Steenbergen wrote:

> Ok so, I'd like to see if I can get to the bottom of the netflow issues on
> 6500/7600s once and for all. Everyone I've talked to who is trying to do
> netflow on those platforms and push any decent amount of traffic seems to
> be running into the same issue, namely rapid netflow tcam exhaustion on
> even 3BXLs with only a few gigs of ordinary traffic.
>
> I've been able to BARELY scrape by, by setting the flowmask to destination
> only and using super aggressive aging, so that "most" boxes are not at
> 100% tcam utilization "most" of the day. Even going to destination-source
> on a lightly loaded box instantly fills the tcam.
>
> Trying to enable netflow sampling actually makes the situation worse. The
> sampling appears to be done at export time instead of sample time, so
> there is no help for the tcam. Also, enabling the time/packet based
> sampling most frequently noted in the documentation forces the flowmask to
> "interface-full", which exhausts all the the tcam 24/7 on a box that is
> pushing even a few gigs of traffic. One big down-side to not being able to
> enable sampling is the large volume of netflow traffic generated, you can
> easily end up exceeding 100Mbps worth of netflow data by deploying a few
> 7600s, even with dest-only flowmasks (also the documentation notes that
> data under the nexthop/egress ifindex fields may not be accurate with
> dest-only flowmasks). I haven't tried netflow aggregation yet, but I've
> heard it has the same problem, the aggregation is done at export time.
>
> So, after digging through the documentation I found a little-referenced
> command for random sampling which appears to be implemented in SXF and
> SRA, "flow-sampler". So for example, using:
>
> flow-sampler-map sampling
> mode random one-out-of 1000
>
> int g#/#
> flow-sampler sampling
>
> And of course removing the old "ip flow ingress" commands first, the
> router does seem to be exporting netflow data but with no noticable
> reduction in tcam or amount of data being exported. Also, multiplying the
> data received by 1000 leads to wild values, so I think its safe to assume
> that nothing is being sampled. All of the "ip flow ingress" commands on
> the entire box have been removed for these tests, on both SXF4 and SRA.
> The only feature difference in SRA appears to be that you can do
> flow-sampler egress (and ip flow egress), but for this test it is ingress
> only.
>
> Ideas?
>
> -- 
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list