[c-nsp] Cisco 6500/7600 netflow questions
Bill Nash
billn at billn.net
Mon Nov 13 11:03:44 EST 2006
On Mon, 13 Nov 2006, Adam Powers wrote:
> Unless you¹re trying to cut down on network load from NetFlow packets or
> you¹re collector can¹t handle it, you¹re better off NOT using sampled
> NetFlow on the 6500.
>
> To my knowledge (unless something has changed) the 6500 doesn¹t actually
> sample in the same way as that of the GSRs. The cache is fully populated as
> in ³full NetFlow² and then sampled on export. That is, the cache contains
> all normal NetFlow data (which is what you¹re seeing) but the exported
> records contain only 1 in <whatever>.
>
> There is no performance gain for the 6500. In fact, the process of sampling
> the cache on export adds additional overhead.
>
I'd agree with Adam, on this point. If you're going to take a CPU hit
anywhere for dealing with that data, you might as well 'take it in the
analyzer', so to speak, so it doesn't impact your production hardware and
traffic. This is the point where the question of how you use your
collected data becomes more important.
- billn
More information about the cisco-nsp
mailing list