[c-nsp] non-sampled netflow on 6500
nick.nauwelaerts at thomson.com
nick.nauwelaerts at thomson.com
Fri Mar 17 03:31:21 EST 2006
Hello,
Thank you both for your answer. The machine us mostly used as a beefy
lan switch, and the interface we wish to monitor is a connection to one
of our partners. The monitoring system we have in place right now works
but is to clunky to use. Seeing that the box pushes an aggregate of
about 20-30gbit/sec due to it's lan nature, I'll have to look for some
other solution to get traffic monitoring. Right now the only thing I can
come up with is spanning the relevant switch ports or even the vlan.
// nick
-----Original Message-----
From: Tom Zingale (tomz) [mailto:tomz at cisco.com]
Sent: Thursday, March 16, 2006 8:28 PM
To: Matt Stockdale; Nauwelaerts, Nick (CM Belgium)
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] non-sampled netflow on 6500
The Cat6k does not support per interface NetFlow for hardware flows
today. The only methods to decrease export are changing the flow masks
(aggregation), export filters or flow sampling and possibly router based
aggregation with v8. There is a limitation for export filters you
mentioned below. What we generally tell customers that about 1 to 3%
(sometimes as high as 5%) of the switched traffic will be generated as
export to the collector. You should be able to size your collector with
this information.
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Matt Stockdale
> Sent: Thursday, March 16, 2006 7:10 AM
> To: nick.nauwelaerts at thomson.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] non-sampled netflow on 6500
>
> I'm doing a full netflow export (on our edge routers, sup720) for
about
> 300Mbps of data, with aggressive flow aging, and it's about 2.5Mbps of
> data. If you can live with that overhead, you can just select the data
> you want based on IfIndex, and toss the rest with flow-tools.
>
> I'm pretty new to the netflow stuff, hopefully someone with more of a
> clue will chime in.
>
> Matt
>
> On Thu, 2006-03-16 at 11:55 +0100, nick.nauwelaerts at thomson.com wrote:
> > Hello,
> > I'm trying to get netflow going on a 6500 with sup720s (PFC3a)
running
> > ios 12.2(18)SXF1.
> >
> > I went through the document on
> >
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/n
> > de.htm#wp1047637 and got it working, for a bit.
> >
> > What I need is to know how much data and what kind goes over a vlan
> > interface, which pushes only 1000pck/s. What I don't want is the
data of
> > all the rest that goes through the switch. So i configured "ip
> > route-cache flow" on the vlan interface, which already gives me MSFC
> > flow information. PFC flow information is more troublesome however.
> >
> > My first thought was to place a filter on NDE, I got the subnets for
> > which I needed the information and then found out NDE only allows
for 1
> > filter for source and destination, so that was a no go.
> >
> > And now I'm kinda stuck. I don't want to swamp the collector nor
switch
> > with exporting the complete mls table, and sampled netflow (which
can be
> > done on an per-interface level) isn't accurate enough.
> >
> > Any ideas on how to get non-sampled netflow for just 1 vlan
interface on
> > a 6500?
> >
> > Thanks.
> >
> > // nick
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list