[c-nsp] 6500 Netflow

virendra rode // virendra.rode at gmail.com
Thu Apr 17 13:54:15 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Cox wrote:
> At 07:12 PM 4/17/2008 +0200, Gert Doering wrote:
>> Hi,
>>
>> On Thu, Apr 17, 2008 at 09:43:22AM -0700, Ian Cox wrote:
>> > Prior to 12.2(33)SXH netflow on the 6500 was enabled on a global
>> > basis. Which is different to all the router platforms where it is
>> > enabled on a per interface basis. In 12.2(33)SXH for the 6500 and
>> > 12.2(33)SRA for the 7600 NDE was finally changed to be enabled on a
>> > per interface basis like other cisco platforms.
>>
>> This is good news.
>>
>> I've heard different rumors on the actual implementation, though.  So
>> maybe
>> you can clarify?
>>
>> One rumor was that SXH and SR* still have *all* flows in the netflow
>> TCAM,
>> and only filter on output, in the RP CPU.
> 
> This is not how per interface works. Flows are only created in the
> netflow table for interfaces it is enabled on. Interfaces without
> netflow enabled drive a null flow mask and this results in no entries
> being created in the netflow table for those interfaces. If you enable
> nde on an interface this results in a non-null flow mask being used and
> an entry being created in the table.
> 
> 
> Ian
- -----------------------------
hmm, so does that mean enabling netflow on the main interface and not
sub-interface(s) won't collect netflow and /or populate netflow table
for the sub-interface?

doing a quick test on my lab router 2800 running 12.4(10c) shows netflow
collector gathering data from sub-interface w/ "ip route-cache flow"
enabled on the main interface or am I confusing myself?

sh ip cache flow shows traffic being sourced from sub-interface.



regards,
/virendra

> 
>>  Which would mean that this feature
>> reduces the amount of data exported to the collectors, and the amount of
>> processing needed there to filter wanted/unwanted interfaces (which is
>> good),
>> but that it would not reduce netflow TCAM contention, and possibly even
>> increase RP CPU load.
>>
>> The second rumor is that SRC is actually filtering already upon
>> *collection*,
>> so that the TCAM usage and RP CPU load would dramatically go down if you
>> only have netflow collection enabled on a few interfaces.
>>
>>
>> Soooo... any truth in this?
>>
>> gert
>> -- 
>> USENET is *not* the non-clickable part of WWW!
>>
>> //www.muc.de/~gert/
>> Gert Doering - Munich, Germany                            
>> gert at greenie.muc.de
>> fax: +49-89-35655025                       
>> gert at net.informatik.tu-muenchen.de
>>
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIB47HpbZvCIJx1bcRApCnAJ9T+GDuUZEx8isgfaLLWFBL8j/2YACeJ3WM
kWRtXM2FsY9iqUVOp27YOlM=
=07iN
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list