[c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls

Peter Rathlev peter at rathlev.dk
Tue May 20 14:27:48 EDT 2008 

Hi Chris,

On Tue, 2008-05-20 at 14:03 -0400, Chris Riling wrote:
> I know this has been asked thousands of times before, but I don't think
> anyone has ever answered it in quite the same fasion. I'm thinking
>  about turning on netflow on my border routers (7606's with Sup32's /
>  full routes);

Impressive. I didn't think Sup32 could do full routes any longer. :-)

> Think I'll see any issues from turning on the exports?

It shouldn't have any impact on the hardware forwarding of the box, but
the export uses some CPU on the MSFC. On our Sup720s the CPU spends most
of its time around 0-1%, exporting on average ~400 flows per second.
They're not really doing much else with the CPU though, no full tables
or anything. The Sup32 may be stressed a little more, and it all depends
on how many flows you export.

You also need to think about the TCAM, there's a limit on how many flows
you can store at once, maybe forcing you to use aggressive aging timers.

AFAIK no Netflow configuration should have any impact on the forwarding
performance of the box, but I may be very wrong. ;-)

> Also, specifically, we're looking to see the ability to generate
>  reports for say, a /22, and the amount of transfer for each host in
>  the /22 that has entered / exited our network at the border (MRTG on
>  the switchports isn't going to cut it). I've heard that a lot of
>  people use ntop for this sort of thing, but in the demo I wasn't able
>  to find anything that did exactly this, and I wanted to consult the
>  list before turning on Netflow at the border routers anyway. I've also
>  heard of people using stager for the report generation; can stager do
>  the same sort of thing?

We're using nfdump/NFSen and it can do all kinds of sweet things
regarding aggregation. We're not using it for billing though, just for
base lining and such.

This reminds me: All the flows we receive max out at ~2.1GB. I'd like to
assume that this is because the switches automatically ages flows before
they reach the 32-bit limit (or 31-bit?); can anyone confirm this?

Regards,
Peter

More information about the cisco-nsp mailing list