[c-nsp] Cisco 6500/7600 netflow questions

Phil Bedard philxor at gmail.com
Mon Nov 13 10:13:18 EST 2006 

Yeah we are using Sup2s and definitely have seen table space issues.

Phil


On Nov 13, 2006, at 10:04 AM, Jared Mauch wrote:

> On Mon, Nov 13, 2006 at 09:56:36AM -0500, Phil Bedard wrote:
>> That's really the  meat of my question.  With the sampling enabled on
>> all of our ingress interfaces, what exactly is being exported?
>> On the software-based platforms the sampling builds the netflow
>> tables, on the 6500/7600 there is the hardware MLS netflow cache
>> which is
>> always active.
>
> 	And is tiny.
>
> 	Even with the increased size you get on the XL hardware,
> any reasonable amount of L3 traffic will kill that table space and
> you'll see netflow creation failures.
>
> 	- jared
>
>> On Nov 13, 2006, at 9:48 AM, Adam Powers wrote:
>>
>>> Unless you’re trying to cut down on network load from NetFlow
>>> packets or you’re collector can’t handle it, you’re better off NOT
>>> using sampled NetFlow on the 6500.
>>>
>>> To my knowledge (unless something has changed) the 6500 doesn’t
>>> actually sample in the same way as that of the GSRs. The cache is
>>> fully populated as in “full NetFlow” and then sampled on export.
>>> That is, the cache contains all normal NetFlow data (which is what
>>> you’re seeing) but the exported records contain only 1 in  
>>> <whatever>.
>>>
>>> There is no performance gain for the 6500. In fact, the process of
>>> sampling the cache on export adds additional overhead.
>>>
>>> -- 
>>>
>>> Adam  Powers
>>>
>>>
>>>
>>> On 11/13/06 9:32 AM, "Phil Bedard" <philxor at gmail.com> wrote:
>>>
>>>>        We are currently using sampled netflow on our 6500/7600s  
>>>> using
>>>> 12.2SXF and I have a few questions about
>>>> sampled netflow on those boxes.   My question is what is being
>>>> populated when the packets are sampled, and at the export
>>>> interval, what exactly is being exported.   I can do a show ip  
>>>> cache
>>>> flow (or show mls netflow ip) and see entries with
>>>> packet counts in the 25-100 range, but none of the flows I see
>>>> exported have more than 2 packets reported.
>>>>
>>>>         Is it sampling packets between export intervals, adding  
>>>> them
>>>> to a cache to be exported, and then flushes that cache
>>>> on export?
>>>>
>>>> Phil
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>>
>>
>> Phil Bedard
>> philxor at gmail.com
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are  
> only mine.

Phil Bedard
philxor at gmail.com

More information about the cisco-nsp mailing list