[c-nsp] non-sampled netflow on 6500

Tom Zingale (tomz) tomz at cisco.com
Fri Mar 17 11:08:06 EST 2006 

If you think about it NetFlow is quite scalable compared to most other
solutions. We take all the traffic information and compress it into a
relatively small amount of export and this export gives you a very good
view of network details.  

> -----Original Message-----
> From: nick.nauwelaerts at thomson.com
[mailto:nick.nauwelaerts at thomson.com]
> Sent: Friday, March 17, 2006 12:31 AM
> To: Tom Zingale (tomz); mstockda at logicworks.net
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] non-sampled netflow on 6500
> 
> Hello,
> Thank you both for your answer. The machine us mostly used as a beefy
> lan switch, and the interface we wish to monitor is a connection to
one
> of our partners. The monitoring system we have in place right now
works
> but is to clunky to use. Seeing that the box pushes an aggregate of
> about 20-30gbit/sec due to it's lan nature, I'll have to look for some
> other solution to get traffic monitoring. Right now the only thing I
can
> come up with is spanning the relevant switch ports or even the vlan.
> 
> // nick
> 
> 
> 
> -----Original Message-----
> From: Tom Zingale (tomz) [mailto:tomz at cisco.com]
> Sent: Thursday, March 16, 2006 8:28 PM
> To: Matt Stockdale; Nauwelaerts, Nick (CM Belgium)
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] non-sampled netflow on 6500
> 
> The Cat6k does not support per interface NetFlow for hardware flows
> today.  The only methods to decrease export are changing the flow
masks
> (aggregation), export filters or flow sampling and possibly router
based
> aggregation with v8.  There is a limitation for export filters you
> mentioned below.  What we generally tell customers that about 1 to 3%
> (sometimes as high as 5%) of the switched traffic will be generated as
> export to the collector. You should be able to size your collector
with
> this information.
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Matt Stockdale
> > Sent: Thursday, March 16, 2006 7:10 AM
> > To: nick.nauwelaerts at thomson.com
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] non-sampled netflow on 6500
> >
> > I'm doing a full netflow export (on our edge routers, sup720) for
> about
> > 300Mbps of data, with aggressive flow aging, and it's about 2.5Mbps
of
> > data. If you can live with that overhead, you can just select the
data
> > you want based on IfIndex, and toss the rest with flow-tools.
> >
> > I'm pretty new to the netflow stuff, hopefully someone with more of
a
> > clue will chime in.
> >
> > Matt
> >
> > On Thu, 2006-03-16 at 11:55 +0100, nick.nauwelaerts at thomson.com
wrote:
> > > Hello,
> > > I'm trying to get netflow going on a 6500 with sup720s (PFC3a)
> running
> > > ios 12.2(18)SXF1.
> > >
> > > I went through the document on
> > >
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/n
> > > de.htm#wp1047637 and got it working, for a bit.
> > >
> > > What I need is to know how much data and what kind goes over a
vlan
> > > interface, which pushes only 1000pck/s. What I don't want is the
> data of
> > > all the rest that goes through the switch. So i configured "ip
> > > route-cache flow" on the vlan interface, which already gives me
MSFC
> > > flow information. PFC flow information is more troublesome
however.
> > >
> > > My first thought was to place a filter on NDE, I got the subnets
for
> > > which I needed the information and then found out NDE only allows
> for 1
> > > filter for source and destination, so that was a no go.
> > >
> > > And now I'm kinda stuck. I don't want to swamp the collector nor
> switch
> > > with exporting the complete mls table, and sampled netflow (which
> can be
> > > done on an per-interface level) isn't accurate enough.
> > >
> > > Any ideas on how to get non-sampled netflow for just 1 vlan
> interface on
> > > a 6500?
> > >
> > > Thanks.
> > >
> > > // nick
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list