Monty, I don't want to be the one that crushes your hopes of analyzing that 10gig of traffic through the 6509, so I won't.
What I will do is pass along some OID's to poll that will show you the TCAM table utilization and how many flow "misses" you are experiencing because the SUP720 is horribly undersized. Active flows .1.3.6.1.4.1.9.9.97.1.4.1.1.5 Flow Learn Failures .1.3.6.1.4.1.9.9.97.1.4.1.1.6 Total Packets being L3 switched by box .1.3.6.1.4.1.9.9.97.1.4.1.1.1 Like I said before about sampling... turn it off. It does nothing for you and doesn't help the situation. Heck, turn it off and watch the CPU... I suspect you won't see much of a change at all. This type of netflow "sampling" is NOTHING like sampling on an actual Cisco router. Please start graphing the above SNMP OID's before trying anything. That will tell you some valuable information. Monty Ree wrote: > Thanks for your answer. > > I would like to capture all flows as you said. But the traffic is over > 10Gbps, so I should use sampling to reduce 6509 CPU load. > > And GigabitEthernet9/1(at below config) is serial interface connected > with ISP backbone, and all out traffic is transferred through this > interface. > and internal servers are divided with several vlans. > So should I execute "ip route cache-flow" command at all vlans to > capture in and out packets? > > > Thanks again for your time.. > > >> From: Andrew Mabe <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED] >> Subject: Re: [Flow-tools] netflow on 6509 sup720? >> Date: Thu, 5 Apr 2007 21:42:19 -0400 >> >> >> >> I would highly recommend turning off sampling. It does you no >> service on a 6509 because the "samples" are pulled out of the netflow >> TCAM. The TCAM is severely limited depending on which version on 720 >> you have (max in the table on a BXL is 256K with a 90% hash >> efficiency). When sampling is turned on it samples OUT of the table >> and not INTO the table. Therefore sampling does nothing other than >> not report all traffic and reduce the load on your netflow collector. >> >> mls netflow captures all traffic that is hardware switched, so make >> sure to catch anything that is CPU routed turn on "ip route-cache >> flow" on all possible interfaces that flows may be coming inbound. >> >> >> >> On Apr 5, 2007, at 9:20 PM, Monty Ree wrote: >> >>> Hello, all. >>> >>> I have operated several servers. But after I have setup flow-tools, >>> I can find only inbound traffic is seen. >>> (all request is seen, but I can't find any reply packet) >>> >>> My config is below. >>> >>> -. cisco 6509 sup720 native ios >>> mls ip multicast flow-stat-timer 9 mls aging long 64 >>> mls aging normal 60 >>> mls flow ip full >>> no mls flow ipv6 >>> mls nde sender version 5 >>> mls sampling time-based 1024 >>> mls cef error action freeze >>> >>> interface GigabitEthernet9/1 >>> ip address 1.1.1.1 255.255.255.252 >>> no ip redirects >>> no ip unreachables >>> no ip proxy-arp >>> ip route-cache flow >>> mls netflow sampling >>> >>> ip flow-export version 5 peer-as >>> ip flow-export destination 2.2.2.2 2055 >>> >>> >>> What's the matter and how can I solve this problem??? >>> >>> Thanks for your time.. >>> >>> _________________________________________________________________ >>> 메신저에서 문자를 바로 보내보세요 http://phonebuddy.msn.co.kr/ >>> _______________________________________________ >>> Flow-tools mailing list >>> [EMAIL PROTECTED] >>> http://mailman.splintered.net/mailman/listinfo/flow-tools >> > > >> << smime.p7s >> > > > > >> _______________________________________________ >> Flow-tools mailing list >> [EMAIL PROTECTED] >> http://mailman.splintered.net/mailman/listinfo/flow-tools > > _________________________________________________________________ > 오늘 무슨 일이 생길까 궁금하시죠? MSN 운세에서 확인하세요. > http://fortune.msn.co.kr/ _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
