[c-nsp] 6500 real world (sampled) netflow

Jon Lewis jlewis at lewis.org
Mon Sep 2 17:34:21 EDT 2013


On Sun, 1 Sep 2013, Dobbins, Roland wrote:

> On Sep 1, 2013, at 7:57 AM, Randy wrote:
>
>> It would only be used for detecting inbound UDP floods and other high 
>> PPS anomalies so there is no need for full flows or even much details, 
>> just ip src/dst.
>
> It's useless for this or any other application because of the 
> limitations of the EARL7.  NetFlow isn't useful on 6500s until you get 
> to Sup2T/DFC4.

Having used it exactly for that, I disagree and am curious why you say 
it's useless.  It can be hard to quantify exactly what the numbers mean 
(translating sampled flow data to mbit/s), but it can certainly tell you 
which IP or IPs are the source or destination of unusual traffic volumes, 
which is the first step in mitigating inbound or outbound DoS traffic.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list