[c-nsp] Cisco 6500/7600 netflow questions

[Phil Bedard]

We have some 7600s that are hitting the table entry limit fairly  
often so for full
export I could see it exporting quite a bit.   That export process
may be what impacts the CPU.

The sampling is done on individual interfaces which  makes me think  
that it populates
some table and every x seconds exports that table and flushes it.  
That's why we only
see 1-2 packets per flow when they are exported.

That's my guess as to what it's doing, I couldn't really find any  
specific information on that.

Phil


On Nov 13, 2006, at 11:03 AM, Bill Nash wrote:

>
> On Mon, 13 Nov 2006, Adam Powers wrote:
>
>> Unless you¹re trying to cut down on network load from NetFlow  
>> packets or
>> you¹re collector can¹t handle it, you¹re better off NOT using sampled
>> NetFlow on the 6500.
>>
>> To my knowledge (unless something has changed) the 6500 doesn¹t  
>> actually
>> sample in the same way as that of the GSRs. The cache is fully  
>> populated as
>> in ³full NetFlow² and then sampled on export. That is, the cache  
>> contains
>> all normal NetFlow data (which is what you¹re seeing) but the  
>> exported
>> records contain only 1 in <whatever>.
>>
>> There is no performance gain for the 6500. In fact, the process of  
>> sampling
>> the cache on export adds additional overhead.
>>
>
> I'd agree with Adam, on this point. If you're going to take a CPU hit
> anywhere for dealing with that data, you might as well 'take it in the
> analyzer', so to speak, so it doesn't impact your production  
> hardware and
> traffic. This is the point where the question of how you use your
> collected data becomes more important.
>
> - billn

Phil Bedard
philxor at gmail.com