[c-nsp] 6500 netflow export and the switch cpu

Ben Steele ben.steele at internode.on.net
Thu Sep 11 20:56:00 EDT 2008


"It looks like the fix was to enable flow-sampling."

Out of curiosity what are you using your netflow for? I'm asking because
sampling obviously isn't ideal when you are trying to get completely
accurate data for accounting.

I am interested in hearing people's opinion on their methods of accounting
when data hits well beyond the TCAM limit(and you're already on DFC's) and
you are in an all Ethernet switched world (ie not broadband ppp radius
accounting), do you try and distribute the netflow onto multiple boxes
closer to the edge or do you opt for another method?

There is the easy option of byte counting switchports via snmp, but if
people are wanting statistics of who's been where(possible legal reasons) or
where the majority of traffic is coming from then that is not enough, maybe
a mix of sampled netflow and switchport byte counting?

It feels a shame using DFC's for a margin of their capacity purely because
you need the TCAM space to produce netflow.

Ben





More information about the cisco-nsp mailing list