I am not sure if I can upgrade this box to SXH. If would help, since a lot of interfaces on that box are for customers who don't need the flow counting. This is a critical environment and I cannot afford the downtime and possible side effects with a new IOS I haven't tested so far.
The mission I would like to achieve is not accounting for customers (would be nice to have though), but more an analysis tool that shows me how much traffic I am exchanging with a certain ASN, so that we can decide if direct peering with that ASN instead of paying transit to reach it makes sense or not. So if for instance the Ops of ASN xxxx contact us to ask for peering on a public exchange, we look it up in our stats and if we see that the average traffic with ASN xxxx is 75 MBIT/s, we will probably peer. Right now I can only guess how much we exchange, so I need a more accurate solution and I was hoping that netflow is the key. - Andy -----Original Message----- From: Andreas Bourges [mailto:andy-li...@bourges.de] Sent: 15 March 2009 17:18 To: cisco-nsp@puck.nether.net Cc: Andy BIERLAIR Subject: Re: [c-nsp] Netflow on SUP720-3BXL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Sunday 15 March 2009 15:45:30 Andy BIERLAIR wrote: > I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL > with SXF15a), but I think I am hitting some limitations because of this: > mls aging fast time 5 threshold 32 > mls aging long 300 > mls aging normal 60 > Then I have this enabled on all border interfaces/vlans (peering / transit > / other core routers) that are of interest for my stats: > > ip route-cache flow This command only affects packets processed by the MSFC - so at least with your IOS it doesn't matter if you configured it on all interfaces or only on some. Once MLS NDE is activated, it exports all observed flows regardless of the "ip route cache flow" command... You could upgrade to an IOS >= SXH, which lets you enable mls nde on a per interface basis - this would (depending on your setup) reduce the amount of created flow entries (I suspect...). > I have heard that more agressive aging might help, but I expect the > router's traffic and pps to increase dramatically, so I'll be hitting the > roof over and over again. > > I wouldn't mind analyzing only every 10th or 100th flow (sampling), which > seems to be a common practice, but will it help? This won't help on 65K/76K, since they only support "flow-sampling" - which means all flows are created in the tcam but not all of them are exported to the collector (to reduce export load and collector load). > What is the common netflow setup without additional DFCs for a busy router? Since you are already equipped with Sup720-3BXL the one thing that can help is to set the mls aging timers more aggressive, I suppose. If (and I'm not sure about that) per-interface mls nde reduces the created flows in the tcam, an upgrade to SXH could help, too... Another thing would be to set the flow-mask to something different than "full" - - which gives you less information but produces less flows, too. Depends on your needs. Regards, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkm9KksACgkQRrny/uOBVy490wCgiEtIs6b2GDeQiWwxOgp4Pnxg xi0AmwRN26/oeMbBhCMFFninhmtjW4si =ERFo -----END PGP SIGNATURE----- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/