[c-nsp] 6k Netflow To Be or Not To Be...

Peter Rathlev peter at rathlev.dk
Tue Nov 15 02:42:42 EST 2011


On Tue, 2011-11-15 at 03:25 +0000, Dobbins, Roland wrote:
> On Nov 15, 2011, at 5:57 AM, Nick Hilliard wrote:
> > pfc3 netflow is fine if you need to measure traffic ratios or
> > protocol spread. 
> 
> Actually, in any kind of diverse source/dest/layer-4 environment, it
> isn't, due to non-deterministic statistical skewing due to mls table
> overflow.

The limitations of Sup720 netflow are vast and irritating, and one of
course needs to be aware of overflow. Fortunately the box actually logs
messages when that happens.

But the OP question was: Why turn it on at all? I'd still say it's
better than nothing. At least in an enterprise environment as ours, even
if the tables do overflow once in a while.

Sup720 Netflow is useless for billing of course. But it's fine as an
extra tool in troubleshooting or as a warning tool for when someone is
doing unexpected things.

-- 
Peter




More information about the cisco-nsp mailing list