[c-nsp] Flow tools

Dobbins, Roland rdobbins at arbor.net
Wed Jan 18 08:10:32 EST 2012


On Jan 18, 2012, at 7:56 AM, Jon Lewis wrote:

>  Sampled netflow is certainly more operationally useful than no netflow.

Concur, and this is what the majority of network operators use.

Unfortunately, pre-Sup2T 6500s can't really do sampled NetFlow.  Instead, in any kind of environment with flow key diversity (e.g., the Internet), they often end up with flow table insertion errors due to the lack of packet-sampled control of flow creation (i.e., what we commonly refer to as 'sampled NetFlow), and so the stats are non-deterministically skewed, in addition to the lack of TCP flags and lack of stats on dropped traffic.

The type of sampling that pre-Sup2T 6500s perform is actually flow telemetry export sampling, which is essentially taking flow telemetry which may well already be skewed due to the aforementioned table insertion errors, and then making it even less accurate due to sampling, heh.

One can check one's 6500s in order to see if table insertion errors are occurring, and I recommend doing so for anyone who's running pre-Sup2T 6500s.  The Sup2T and matching DFC4s (as well as CFC cards) provide robust, operationally-useful NetFlow, and also bring welcome improvements in ACLs and uRPF, as well - a highly-recommended upgrade, whenever feasible.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde




More information about the cisco-nsp mailing list