[c-nsp] Flow tools

Peter Rathlev peter at rathlev.dk
Wed Jan 18 08:11:58 EST 2012


On Wed, 2012-01-18 at 07:56 -0500, Jon Lewis wrote:
> On Wed, 18 Jan 2012, Dobbins, Roland wrote:
> > On Jan 17, 2012, at 11:23 PM, John Brown wrote:
> > > 6506-E Sup720-3BXL.
> >
> > The NetFlow you get from this box won't be operationally useful -
> > many caveats.  Strongly suggest a move to Sup2T and DFC4 (where
> > applicable), if you want good NetFlow from 6500s.
> 
> That really depends on his definition of "operationally useful".  At
> the traffic levels he mentioned, he'll likely have to do sampled
> netflow, but even that is useful for getting an idea of what's going
> on, identifying D?DoS targets/sources, verifying abusive traffic, etc.
> Sampled netflow is certainly more operationally useful than no
> netflow.

If the Sup720 can do Netflow sampling (I don't know if it does) it will
probably not be hardware based. So you still overflow the Netflow TCAM,
and then the sampling is done afterwards.

For DDoS identification the overflows aren't really a big problem IMO.
It's probably random-ish what is dropped, so you can still easily
identify who makes most noise.

It works fine for us in an enterprise environment. The few places where
we have Internet traffic running through a Sup720 is overflows now and
then. Useless for billing, but still better than having no Netflow at
all -- on that we can agree.

The Sup2T is practically the same price as the Sup720-10G, so there are
few reasons not to buy it for new deployments.

-- 
Peter




More information about the cisco-nsp mailing list