[c-nsp] 6500 real world (sampled) netflow
Dobbins, Roland
rdobbins at arbor.net
Sun Sep 1 06:08:51 EDT 2013
On Sep 1, 2013, at 7:57 AM, Randy wrote:
> It would only be used for detecting inbound UDP floods and other high PPS anomalies so there is no need for full flows or even much details, just ip src/dst.
It's useless for this or any other application because of the limitations of the EARL7. NetFlow isn't useful on 6500s until you get to Sup2T/DFC4.
Also, there's no such thing as packet-sampled control of flow creation - i.e., 'sampled NetFlow' - on pre-Sup2T/DFC4 6500s. There's output flow sampling, which simply serves to make the non-determinisically-skewed, completely unreliable statistics even worse.
Don't waste your time. Upgrade, or use probes on taps until you can upgrade.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
More information about the cisco-nsp
mailing list