[c-nsp] 6500 netflow export and the switch cpu

Ivan Gasparik ivan at ig.sk
Fri Sep 12 15:32:02 EDT 2008


It depends on the amount of traffic you are planning to analyze.
In my experience from ISP environment a 3BXL with 256000 netflow
entries can handle about 3Gb/s of average internet traffic
without overrunning the netflow cache. But you have to use really
aggressive timers to force flows time out very quickly and to
make space for newly created flow entries.
Big guys would say, move to CRS with 1024000 netflow entries per
slot and more powerful CPU's ;-)
I plan to try the way mentioned by you - mirroring traffic to
some fprobe server. Is here somebody running external server for
netflow analysis? I would be interrested in your experiences,
especially what hardware is needed for processing 10Gb/s of
traffic?

Ivan


On Fri, Sep 12, 2008 at 01:09:05AM +0800, cc loo wrote:
> I was wondering if mirroring the traffic into a server with Netflow probes
> (such as fprobe) to help relieving the stress on router's CPU would be a
> wise move ?
> Is this move common in ISP environments or do most of the big guys just
> leave the exporting from routers to collectors ?
> 
> 
> 
> On Thu, Sep 11, 2008 at 11:50 PM, Jon Lewis <jlewis at lewis.org> wrote:
> 
> > I've got a 6509 with sup720-3bxl running 12.2(18)SXD7b.  It's forwarding
> > several hundred mbit/s across a number of gig ports on WS-X6416-GBIC cards.
> >
> > I've noticed it's gotten very slow at certain things (like write mem), and
> > when looking at the switch (remote command switch show proc cpu), I was kind
> > of shocked to see 85% CPU utilization or higher across all time avgs. The
> > biggest CPU eating process seems to be netflow export
> >
> >  223  2563111984 126342970      20287 38.27% 42.39% 42.03%   0 NDE - IPV4
> >
> > Other than disabling export or moving traffic off this device, are there
> > things I can do to tone this down?  The couple hundred mbit/s this switch is
> > forwarding is supposed to be no big deal for this platform.
> >
> > ----------------------------------------------------------------------
> >  Jon Lewis                   |  I route
> >  Senior Network Engineer     |  therefore you are
> >  Atlantic Net                |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list