[c-nsp] Netflow on SUP720-3BXL

Andy BIERLAIR andy.bierlair at root.lu
Sun Mar 15 12:46:52 EDT 2009


I am not sure if I can upgrade this box to SXH. If would help, since a lot
of interfaces on that box are for customers who don't need the flow
counting.
This is a critical environment and I cannot afford the downtime and possible
side effects with a new IOS I haven't tested so far.

The mission I would like to achieve is not accounting for customers (would
be nice to have though), but more an analysis tool that shows me how much
traffic I am exchanging with a certain ASN, so that we can decide if direct
peering with that ASN instead of paying transit to reach it makes sense or
not.

So if for instance the Ops of ASN xxxx contact us to ask for peering on a
public exchange, we look it up in our stats and if we see that the average
traffic with ASN xxxx is 75 MBIT/s, we will probably peer. Right now I can
only guess how much we exchange, so I need a more accurate solution and I
was hoping that netflow is the key.

-
Andy

-----Original Message-----
From: Andreas Bourges [mailto:andy-lists at bourges.de] 
Sent: 15 March 2009 17:18
To: cisco-nsp at puck.nether.net
Cc: Andy BIERLAIR
Subject: Re: [c-nsp] Netflow on SUP720-3BXL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


On Sunday 15 March 2009 15:45:30 Andy BIERLAIR wrote:
> I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL
> with SXF15a), but I think I am hitting some limitations because of this:

>   mls aging fast time 5 threshold 32
>   mls aging long 300
>   mls aging normal 60

> Then I have this enabled on all border interfaces/vlans (peering / transit
> / other core routers) that are of interest for my stats:
>
>   ip route-cache flow

This command only affects packets processed by the MSFC - so at least with 
your IOS it doesn't matter if you configured it on all interfaces or only on

some. Once MLS NDE is activated, it exports all observed flows regardless of

the "ip route cache flow" command...

You could upgrade to an IOS >= SXH, which lets you enable mls nde on a per 
interface basis - this would (depending on your setup) reduce the amount of 
created flow entries (I suspect...).

> I have heard that more agressive aging might help, but I expect the
> router's traffic and pps to increase dramatically, so I'll be hitting the
> roof over and over again.
>
> I wouldn't mind analyzing only every 10th or 100th flow (sampling), which
> seems to be a common practice, but will it help?

This won't help on 65K/76K, since they only support "flow-sampling" - which 
means all flows are created in the tcam but not all of them are exported to 
the collector (to reduce export load and collector load).

> What is the common netflow setup without additional DFCs for a busy
router?

Since you are already equipped with Sup720-3BXL the one thing that can help
is 
to set the mls aging timers more aggressive, I suppose. 
If (and I'm not sure about that) per-interface mls nde reduces the created 
flows in the tcam, an upgrade to SXH could help, too...
Another thing would be to set the flow-mask to something different than
"full" 
- - which gives you less information but produces less flows, too. Depends
on 
your needs.

Regards,

Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm9KksACgkQRrny/uOBVy490wCgiEtIs6b2GDeQiWwxOgp4Pnxg
xi0AmwRN26/oeMbBhCMFFninhmtjW4si
=ERFo
-----END PGP SIGNATURE-----



More information about the cisco-nsp mailing list