[c-nsp] 6500 real world (sampled) netflow

Peter Rathlev peter at rathlev.dk
Mon Sep 2 16:41:19 EDT 2013


On Sun, 2013-09-01 at 10:08 +0000, Dobbins, Roland wrote:
> On Sep 1, 2013, at 7:57 AM, Randy wrote:
> > It would only be used for detecting inbound UDP floods and other
> > high PPS anomalies so there is no need for full flows or even much
> > details, just ip src/dst. 
> 
> It's useless for this or any other application because of the
> limitations of the EARL7.  NetFlow isn't useful on 6500s until you get
> to Sup2T/DFC4.

Though Sup720 Netflow has many limitations, the OP's use case is one
that it can actually help with. If the records are not used for anything
else then table overflow is irrelevant. And even when dropping lots of
flows it can still help warning about floods.

I know this from experience, it has helped us many times. Saying EARL7
Netflow is useless is simply not true.

-- 
Peter




More information about the cisco-nsp mailing list