[c-nsp] 6500 netflow export and the switch cpu
Joe Loiacono
jloiacon at csc.com
Thu Sep 11 14:41:52 EDT 2008
I wonder if it is not something in the config, rather than the traffic. I
collect netflow from an old 6509 with upwards of 800M out one interface
and I haven't seen any problems.Using if-full too. Granted a lot of our
flows are data set transfers though. (I can't get the IOS version right
now as it is managed by a different group - but it is probably fairly
vanilla.)
The number of flows was mentioned, is there alot of VoIP going through
your switch, or something like that? What happens if you reduce the aging
values? The 'long' one looks high.
It just seems that with the load you are quoting, you should be able to
get everything...
Joe
Jon Lewis <jlewis at lewis.org>
Sent by: cisco-nsp-bounces at puck.nether.net
09/11/2008 01:52 PM
To
Phil Mayers <p.mayers at imperial.ac.uk>
cc
cisco-nsp at puck.nether.net
Subject
Re: [c-nsp] 6500 netflow export and the switch cpu
On Thu, 11 Sep 2008, Phil Mayers wrote:
>> current ip flowmask for unicast: if-full
>> current ipv6 flowmask for unicast: null
>
> Do you need the full mask? It includes tcp/udp ports. Dropping to
> destination-source may save you a lot of flows (but obviously lose you a
lot
> of info)
I'd really like to keep ip-full. It's quite handy when tracking down what
an IP has been up to (like when trying to verify infection/scanning
complaints).
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list