Re: [c-nsp] IS-IS as PE-CE protocol
On 21/Mar/19 08:06, Victor Sudakov wrote: > Because the customer network is all IS-IS ? > What would be "not shooting myself in the foot" in this case? A protocol designed to speak between 2 different autonomous systems. If that is not an option, not using a routing protocol is also a good idea, i.e., static routing. You're not my immediate competitor, so I'll advise you not to run an IGP with a customer. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco SD wan
Hi Team, Do we have discussion started for Cisco SD Wan. Specifically in vEdge and CEdge. Thanks, Kind Regards, Muthu. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS as PE-CE protocol
adamv0...@netconsultings.com wrote: > > > > OSPF as a PE-CE protocol has some useful features: the "DN bit" for loop > > prevention and sham links for route optimization. > > > > Does IS-IS have similar features? > > > It does if the PE end is L2 and CE end is L1, Sorry if I misunderstand, but all neighbors I see from the PEs are level L2. I don't know if the customer has L1 routers anywhere inside their network, maybe none at all. > but for the love of god why > would you want to shoot yourself in the foot? Because the customer network is all IS-IS ? What would be "not shooting myself in the foot" in this case? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS as PE-CE protocol
> Victor Sudakov > Sent: Thursday, March 21, 2019 2:30 AM > > Dear Colleagues, > > OSPF as a PE-CE protocol has some useful features: the "DN bit" for loop > prevention and sham links for route optimization. > > Does IS-IS have similar features? > It does if the PE end is L2 and CE end is L1, but for the love of god why would you want to shoot yourself in the foot? adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IS-IS as PE-CE protocol
Dear Colleagues, OSPF as a PE-CE protocol has some useful features: the "DN bit" for loop prevention and sham links for route optimization. Does IS-IS have similar features? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCAM utilization on Nexus 9396
--- Begin Message --- Please check the config guide. I am not as familiar w/the 1st gen switches as 2nd gen, but there should be at least some level of reconfigurability of the regions in gen 1. So you may be able to size up the region you want by removing entries from some other region. Yes, region resizing requires a switch reboot. Tim -Original Message- From: Satish Patel Sent: Wednesday, March 20, 2019 12:12 PM To: Tim Stevenson (tstevens) Cc: Cisco Network Service Providers ; Nick Cutting Subject: Re: TCAM utilization on Nexus 9396 Thanks for clarification, i have noticed when i add 1 rules number bump +1 but i believe you can't go above 510 right? that is hard limit if i am not wrong. also changing in resource required reload. On Wed, Mar 20, 2019 at 2:07 PM Tim Stevenson (tstevens) wrote: > > Yes, ACL lines consume space in the TCAM. TCAM can be recarved according to > the features in use/required. > > As long as the policy fits in the available TCAM space for that feature > (software will complain and fail your config if it won't), enforcement is at > full rate, no performance penalty for that. > > Tim > > -Original Message- > From: Satish Patel > Sent: Wednesday, March 20, 2019 10:46 AM > To: Cisco Network Service Providers ; Nick Cutting > ; Tim Stevenson (tstevens) > Subject: TCAM utilization on Nexus 9396 > > Folks and ( Tim/Nick ) > > I have Cisco Nexus 9396 L3 switch and running bunch of ACL ( IPv4 > Access-list to block certain traffic ) today i was reading about TCAM > and when i look at switch i found following utilization, so trying to > understand how ACL relationship with TCAM. > > - Does number of ACL impact TCAM utilization or traffic ? > > > # show hardware access-list resource utilization > > slot 1 > === > > > > INSTANCE 0x0 > - > > > ACL Hardware Resource Utilization (Mod 1) > -- > UsedFreePercent > Utilization > --- > Ingress IPv4 PACL 3 509 0.59 > Ingress IPv4 Port QoS 4 252 1.56 > Ingress IPv4 VACL 2 510 0.39 > Ingress IPv4 RACL 226 286 44.14 > Egress IPv4 VACL3 509 0.59 > Egress IPv4 RACL3 253 1.17 > SUP COPP205 51 80.08 > SUP COPP Reason Code TCAM 6 122 4.69 > Redirect2 510 0.39 > SPAN21 235 8.20 > VPC Convergence 1 255 0.39 > > LOU 2 22 8.33 > Both LOU Operands 2 > Single LOU Operands 0 > LOU L4 src port:1 > LOU L4 dst port:1 > LOU L3 packet len: 0 > LOU IP tos: 0 > LOU IP dscp:0 > LOU ip precedence: 0 > LOU ip TTL: 0 > TCP Flags 0 16 0.00 > > Protocol CAM2 244 0.81 > Mac Etype/Proto CAM 0 14 0.00 > > L4 op labels, Tcam 00 10230.00 > L4 op labels, Tcam 21 62 1.58 > L4 op labels, Tcam 60 20470.00 > > Ingress Dest info table 0 512 0.00 > > Egress Dest info table 0 512 0.00 --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCAM utilization on Nexus 9396
Thanks for clarification, i have noticed when i add 1 rules number bump +1 but i believe you can't go above 510 right? that is hard limit if i am not wrong. also changing in resource required reload. On Wed, Mar 20, 2019 at 2:07 PM Tim Stevenson (tstevens) wrote: > > Yes, ACL lines consume space in the TCAM. TCAM can be recarved according to > the features in use/required. > > As long as the policy fits in the available TCAM space for that feature > (software will complain and fail your config if it won't), enforcement is at > full rate, no performance penalty for that. > > Tim > > -Original Message- > From: Satish Patel > Sent: Wednesday, March 20, 2019 10:46 AM > To: Cisco Network Service Providers ; Nick Cutting > ; Tim Stevenson (tstevens) > Subject: TCAM utilization on Nexus 9396 > > Folks and ( Tim/Nick ) > > I have Cisco Nexus 9396 L3 switch and running bunch of ACL ( IPv4 > Access-list to block certain traffic ) today i was reading about TCAM > and when i look at switch i found following utilization, so trying to > understand how ACL relationship with TCAM. > > - Does number of ACL impact TCAM utilization or traffic ? > > > # show hardware access-list resource utilization > > slot 1 > === > > > > INSTANCE 0x0 > - > > > ACL Hardware Resource Utilization (Mod 1) > -- > UsedFreePercent > Utilization > --- > Ingress IPv4 PACL 3 509 0.59 > Ingress IPv4 Port QoS 4 252 1.56 > Ingress IPv4 VACL 2 510 0.39 > Ingress IPv4 RACL 226 286 44.14 > Egress IPv4 VACL3 509 0.59 > Egress IPv4 RACL3 253 1.17 > SUP COPP205 51 80.08 > SUP COPP Reason Code TCAM 6 122 4.69 > Redirect2 510 0.39 > SPAN21 235 8.20 > VPC Convergence 1 255 0.39 > > LOU 2 22 8.33 > Both LOU Operands 2 > Single LOU Operands 0 > LOU L4 src port:1 > LOU L4 dst port:1 > LOU L3 packet len: 0 > LOU IP tos: 0 > LOU IP dscp:0 > LOU ip precedence: 0 > LOU ip TTL: 0 > TCP Flags 0 16 0.00 > > Protocol CAM2 244 0.81 > Mac Etype/Proto CAM 0 14 0.00 > > L4 op labels, Tcam 00 10230.00 > L4 op labels, Tcam 21 62 1.58 > L4 op labels, Tcam 60 20470.00 > > Ingress Dest info table 0 512 0.00 > > Egress Dest info table 0 512 0.00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCAM utilization on Nexus 9396
--- Begin Message --- Yes, ACL lines consume space in the TCAM. TCAM can be recarved according to the features in use/required. As long as the policy fits in the available TCAM space for that feature (software will complain and fail your config if it won't), enforcement is at full rate, no performance penalty for that. Tim -Original Message- From: Satish Patel Sent: Wednesday, March 20, 2019 10:46 AM To: Cisco Network Service Providers ; Nick Cutting ; Tim Stevenson (tstevens) Subject: TCAM utilization on Nexus 9396 Folks and ( Tim/Nick ) I have Cisco Nexus 9396 L3 switch and running bunch of ACL ( IPv4 Access-list to block certain traffic ) today i was reading about TCAM and when i look at switch i found following utilization, so trying to understand how ACL relationship with TCAM. - Does number of ACL impact TCAM utilization or traffic ? # show hardware access-list resource utilization slot 1 === INSTANCE 0x0 - ACL Hardware Resource Utilization (Mod 1) -- UsedFreePercent Utilization --- Ingress IPv4 PACL 3 509 0.59 Ingress IPv4 Port QoS 4 252 1.56 Ingress IPv4 VACL 2 510 0.39 Ingress IPv4 RACL 226 286 44.14 Egress IPv4 VACL3 509 0.59 Egress IPv4 RACL3 253 1.17 SUP COPP205 51 80.08 SUP COPP Reason Code TCAM 6 122 4.69 Redirect2 510 0.39 SPAN21 235 8.20 VPC Convergence 1 255 0.39 LOU 2 22 8.33 Both LOU Operands 2 Single LOU Operands 0 LOU L4 src port:1 LOU L4 dst port:1 LOU L3 packet len: 0 LOU IP tos: 0 LOU IP dscp:0 LOU ip precedence: 0 LOU ip TTL: 0 TCP Flags 0 16 0.00 Protocol CAM2 244 0.81 Mac Etype/Proto CAM 0 14 0.00 L4 op labels, Tcam 00 10230.00 L4 op labels, Tcam 21 62 1.58 L4 op labels, Tcam 60 20470.00 Ingress Dest info table 0 512 0.00 Egress Dest info table 0 512 0.00 --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] TCAM utilization on Nexus 9396
Folks and ( Tim/Nick ) I have Cisco Nexus 9396 L3 switch and running bunch of ACL ( IPv4 Access-list to block certain traffic ) today i was reading about TCAM and when i look at switch i found following utilization, so trying to understand how ACL relationship with TCAM. - Does number of ACL impact TCAM utilization or traffic ? # show hardware access-list resource utilization slot 1 === INSTANCE 0x0 - ACL Hardware Resource Utilization (Mod 1) -- UsedFreePercent Utilization --- Ingress IPv4 PACL 3 509 0.59 Ingress IPv4 Port QoS 4 252 1.56 Ingress IPv4 VACL 2 510 0.39 Ingress IPv4 RACL 226 286 44.14 Egress IPv4 VACL3 509 0.59 Egress IPv4 RACL3 253 1.17 SUP COPP205 51 80.08 SUP COPP Reason Code TCAM 6 122 4.69 Redirect2 510 0.39 SPAN21 235 8.20 VPC Convergence 1 255 0.39 LOU 2 22 8.33 Both LOU Operands 2 Single LOU Operands 0 LOU L4 src port:1 LOU L4 dst port:1 LOU L3 packet len: 0 LOU IP tos: 0 LOU IP dscp:0 LOU ip precedence: 0 LOU ip TTL: 0 TCP Flags 0 16 0.00 Protocol CAM2 244 0.81 Mac Etype/Proto CAM 0 14 0.00 L4 op labels, Tcam 00 10230.00 L4 op labels, Tcam 21 62 1.58 L4 op labels, Tcam 60 20470.00 Ingress Dest info table 0 512 0.00 Egress Dest info table 0 512 0.00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 9300 sflow performance
Thanks Nick & Tim,
This is awesome! i will get back to you after my deployment.
On Wed, Mar 20, 2019 at 1:34 PM Nick Cutting wrote:
>
> We use the below, and I measured the reported traffic a few times, sending
> exactly 1g / 10g files between a known source and destination; it was pretty
> accurate.
>
> You must use routed ports, SVI’s require netflow – which is not an option for
> you.
>
>
>
> feature sflow
>
> sflow counter-poll-interval 30
>
> sflow collector-ip 10.x.x.x vrf default source 10.x.x.x.x
>
> sflow collector-port 6344 (match the NFSEN listening port)
>
> sflow agent-ip x.x.x.x (this switch’s loopback match the source/vrf above)
>
> sflow data-source interface Ethernet1/51
>
> sflow data-source interface Ethernet1/52
>
>
>
> its Bi-directional so we only do north facing ports in leaf/spine
>
>
>
> then the matching entry on NFSEN’s conf file is:
>
>
>
> %sources = (
>
> ‘HOSTNAME’ => { 'port' => '6344', 'IP' => '10.x.x.x, 'col' =>
> '#ff', 'type' => 'sflow' }
>
> );
>
> From: Satish Patel
> Sent: Wednesday, March 20, 2019 1:23 PM
> To: Tim Stevenson (tstevens)
> Cc: Nick Cutting ; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Nexus 9300 sflow performance
>
>
>
> This message originated from outside your organization.
>
> Thanks Tim,
>
> Here is the output of show hardware rate-limiter. ( i believe it's 40k)
>
> This is my first time dealing with SFLOW, Can you share some
> configuration parameter i should use for best practice would be great,
> What is 1-in-N sample actually?
>
> I am planning to use mgmt0 interface for SFLOW and its 1G so i assume
> it will handle all the flow. do you seeing any concern there?
>
>
> # show hardware rate-limiter
>
> Units for Config: packets per second
> Allowed, Dropped & Total: aggregated since last clear counters
>
>
> Module: 1
> R-L Class Config Allowed Dropped Total
> +--++---+---+-+
> L3 glean 100 0 0 0
> L3 mcast loc-grp 3000 0 0 0
> access-list-log 100 0 0 0
> bfd 1 0 0 0
> exception 50 0 0 0
> fex 3000 0 0 0
> span 50 0 0 0
> dpss 6400 0 0 0
> sflow 4 25134089890 0 25134089890
>
> On Wed, Mar 20, 2019 at 12:07 PM Tim Stevenson (tstevens)
> wrote:
> >
> > Yes, this is 1st gen. The SFLOW/SPAN restriction should not apply there.
> >
> > Re: 60Gbps/24Mpps and SFLOW, SFLOW does not do aggregation of stats for
> > flows in the switch like netflow does - it's just 1-in-n packet sampling.
> > As such, the value of "n" should be high enough that both the switch & the
> > collector are not overburdened. Note that we will rate limit SFLOW copies
> > to the CPU so that's the first 'bottleneck'. If you end up tail-dropping
> > samples, the statistical validity of your sampled set goes out the window,
> > so you want to ensure that 1-in-n is a number that does not hit that rate
> > limiter.
> >
> > I don't have a 1st gen switch handy to see what the defaults are for that
> > value. It should show up in 'sh hardware rate-limiter'. In 9300-EX with
> > 9.2.2 it's 40Kpps.
> >
> > Beyond that, you also want to make sure the collector is able to consume
> > everything coming from all sflow enabled switches without dropping, for the
> > same reason mentioned above.
> >
> > Hope that helps,
> > Tim
> >
> >
> > -Original Message-
> > From: Satish Patel
> > Sent: Wednesday, March 20, 2019 8:40 AM
> > To: Nick Cutting
> > Cc: Tim Stevenson (tstevens) ; cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] Nexus 9300 sflow performance
> >
> > We have cisco Nexus9000 C9396PX
> >
> > 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how
> > to convert it into flows. Could you please share your sflow
> > configuration if you don't mind?
> >
> > I had nfsen in past with 8CPU / 4GB memory but it was damn slow :(
> > but it could be me.. i will set up again and see if it worth it or
> > not.
> >
> > On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting wrote:
> > >
> > > Good point. We waited for the second Gen
> > >
> > > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or
> > > sampled flows levels?
> > >
> > > Our NFSEn box is centos
> > >
> > > 4 vCPU and 4 GBrams
> > >
> > > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per
> > > sec.
> > >
> > > -Original Message-
> > > From: Tim Stevenson (tstevens)
> > > Sent: Wednesday, March 20, 2019 11:20 AM
> > > To: Nick Cutting ; Satish Patel
> > > ; cisco-nsp@puck.nether.net
> > > Subject: RE: [c-nsp] Nexus 9300 sflow performance
> > >
> > > This message originated from outside your organization.
> > >
> > > Make sure you distinguish between N9300 (1st generation) and
> > > N9300-EX/FX/FX2 (2nd generation). The SFLOW + SPAN limitation applies
> > > only to the latter. It's also on the latter that Netflow is supported,
> > > which can run concurrently with SPAN sessions.
> > >
> > > Tim
> > >
> > > -Original Message-
> > > From: cisco-nsp On Behalf Of
Re: [c-nsp] Nexus 9300 sflow performance
We use the below, and I measured the reported traffic a few times, sending
exactly 1g / 10g files between a known source and destination; it was pretty
accurate.
You must use routed ports, SVI’s require netflow – which is not an option for
you.
feature sflow
sflow counter-poll-interval 30
sflow collector-ip 10.x.x.x vrf default source 10.x.x.x.x
sflow collector-port 6344 (match the NFSEN listening port)
sflow agent-ip x.x.x.x (this switch’s loopback match the source/vrf above)
sflow data-source interface Ethernet1/51
sflow data-source interface Ethernet1/52
its Bi-directional so we only do north facing ports in leaf/spine
then the matching entry on NFSEN’s conf file is:
%sources = (
‘HOSTNAME’ => { 'port' => '6344', 'IP' => '10.x.x.x, 'col' => '#ff',
'type' => 'sflow' }
);
From: Satish Patel
Sent: Wednesday, March 20, 2019 1:23 PM
To: Tim Stevenson (tstevens)
Cc: Nick Cutting ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Nexus 9300 sflow performance
This message originated from outside your organization.
Thanks Tim,
Here is the output of show hardware rate-limiter. ( i believe it's 40k)
This is my first time dealing with SFLOW, Can you share some
configuration parameter i should use for best practice would be great,
What is 1-in-N sample actually?
I am planning to use mgmt0 interface for SFLOW and its 1G so i assume
it will handle all the flow. do you seeing any concern there?
# show hardware rate-limiter
Units for Config: packets per second
Allowed, Dropped & Total: aggregated since last clear counters
Module: 1
R-L Class Config Allowed Dropped Total
+--++---+---+-+
L3 glean 100 0 0 0
L3 mcast loc-grp 3000 0 0 0
access-list-log 100 0 0 0
bfd 1 0 0 0
exception 50 0 0 0
fex 3000 0 0 0
span 50 0 0 0
dpss 6400 0 0 0
sflow 4 25134089890 0 25134089890
On Wed, Mar 20, 2019 at 12:07 PM Tim Stevenson (tstevens)
mailto:tstev...@cisco.com>> wrote:
>
> Yes, this is 1st gen. The SFLOW/SPAN restriction should not apply there.
>
> Re: 60Gbps/24Mpps and SFLOW, SFLOW does not do aggregation of stats for flows
> in the switch like netflow does - it's just 1-in-n packet sampling. As such,
> the value of "n" should be high enough that both the switch & the collector
> are not overburdened. Note that we will rate limit SFLOW copies to the CPU so
> that's the first 'bottleneck'. If you end up tail-dropping samples, the
> statistical validity of your sampled set goes out the window, so you want to
> ensure that 1-in-n is a number that does not hit that rate limiter.
>
> I don't have a 1st gen switch handy to see what the defaults are for that
> value. It should show up in 'sh hardware rate-limiter'. In 9300-EX with 9.2.2
> it's 40Kpps.
>
> Beyond that, you also want to make sure the collector is able to consume
> everything coming from all sflow enabled switches without dropping, for the
> same reason mentioned above.
>
> Hope that helps,
> Tim
>
>
> -Original Message-
> From: Satish Patel mailto:satish@gmail.com>>
> Sent: Wednesday, March 20, 2019 8:40 AM
> To: Nick Cutting mailto:ncutt...@edgetg.com>>
> Cc: Tim Stevenson (tstevens) mailto:tstev...@cisco.com>>;
> cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Nexus 9300 sflow performance
>
> We have cisco Nexus9000 C9396PX
>
> 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how
> to convert it into flows. Could you please share your sflow
> configuration if you don't mind?
>
> I had nfsen in past with 8CPU / 4GB memory but it was damn slow :(
> but it could be me.. i will set up again and see if it worth it or
> not.
>
> On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting
> mailto:ncutt...@edgetg.com>> wrote:
> >
> > Good point. We waited for the second Gen
> >
> > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled
> > flows levels?
> >
> > Our NFSEn box is centos
> >
> > 4 vCPU and 4 GBrams
> >
> > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per
> > sec.
> >
> > -Original Message-
> > From: Tim Stevenson (tstevens)
> > mailto:tstev...@cisco.com>>
> > Sent: Wednesday, March 20, 2019 11:20 AM
> > To: Nick Cutting mailto:ncutt...@edgetg.com>>; Satish
> > Patel mailto:satish@gmail.com>>;
> > cisco-nsp@puck.nether.net
> > Subject: RE: [c-nsp] Nexus 9300 sflow performance
> >
> > This message originated from outside your organization.
> >
> > Make sure you distinguish between N9300 (1st generation) and
> > N9300-EX/FX/FX2 (2nd generation). The SFLOW + SPAN limitation applies only
> > to the latter. It's also on the latter that Netflow is supported, which can
> > run concurrently with SPAN sessions.
> >
> > Tim
> >
> > -Original Message-
> > From: cisco-nsp
> > mailto:cisco-nsp-boun...@puck.nether.net>>
> > On Behalf Of Nick Cutting
> > Sent: Wednesday, March 20, 2019 6:19 AM
> > To: Satish Patel
Re: [c-nsp] Nexus 9300 sflow performance
--- Begin Message --- -Original Message- From: Satish Patel Sent: Wednesday, March 20, 2019 10:23 AM To: Tim Stevenson (tstevens) Cc: Nick Cutting ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 9300 sflow performance Thanks Tim, Here is the output of show hardware rate-limiter. ( i believe it's 40k) >> Yes looks to be the same as on 9300-EX/FX/FX2. This is my first time dealing with SFLOW, Can you share some configuration parameter i should use for best practice would be great, What is 1-in-N sample actually? >> Sampling rate is controlled via config: tstevens-93180yc-ex-4(config)# sflow sampling-rate ? <4096-10> SFlow Sampling rate >> You need to calculate the PPS of the traffic on the source interfaces to >> determine the sampling rate that will keep the max number of samples to >> under 40K from all sources. I am planning to use mgmt0 interface for SFLOW and its 1G so i assume it will handle all the flow. do you seeing any concern there? >> With max of 40Kpps of sampling, it should be fine on 1G mgmt0. >> Tim # show hardware rate-limiter Units for Config: packets per second Allowed, Dropped & Total: aggregated since last clear counters Module: 1 R-L Class Config Allowed DroppedTotal +--++---+---+-+ L3 glean 100 0 0 0 L3 mcast loc-grp3000 0 0 0 access-list-log 100 0 0 0 bfd1 0 0 0 exception 50 0 0 0 fex 3000 0 0 0 span 50 0 0 0 dpss6400 0 0 0 sflow 4 25134089890 0 25134089890 On Wed, Mar 20, 2019 at 12:07 PM Tim Stevenson (tstevens) wrote: > > Yes, this is 1st gen. The SFLOW/SPAN restriction should not apply there. > > Re: 60Gbps/24Mpps and SFLOW, SFLOW does not do aggregation of stats for flows > in the switch like netflow does - it's just 1-in-n packet sampling. As such, > the value of "n" should be high enough that both the switch & the collector > are not overburdened. Note that we will rate limit SFLOW copies to the CPU so > that's the first 'bottleneck'. If you end up tail-dropping samples, the > statistical validity of your sampled set goes out the window, so you want to > ensure that 1-in-n is a number that does not hit that rate limiter. > > I don't have a 1st gen switch handy to see what the defaults are for that > value. It should show up in 'sh hardware rate-limiter'. In 9300-EX with 9.2.2 > it's 40Kpps. > > Beyond that, you also want to make sure the collector is able to consume > everything coming from all sflow enabled switches without dropping, for the > same reason mentioned above. > > Hope that helps, > Tim > > > -Original Message- > From: Satish Patel > Sent: Wednesday, March 20, 2019 8:40 AM > To: Nick Cutting > Cc: Tim Stevenson (tstevens) ; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Nexus 9300 sflow performance > > We have cisco Nexus9000 C9396PX > > 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how > to convert it into flows. Could you please share your sflow > configuration if you don't mind? > > I had nfsen in past with 8CPU / 4GB memory but it was damn slow :( > but it could be me.. i will set up again and see if it worth it or > not. > > On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting wrote: > > > > Good point. We waited for the second Gen > > > > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled > > flows levels? > > > > Our NFSEn box is centos > > > > 4 vCPU and 4 GBrams > > > > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per > > sec. > > > > -Original Message- > > From: Tim Stevenson (tstevens) > > Sent: Wednesday, March 20, 2019 11:20 AM > > To: Nick Cutting ; Satish Patel > > ; cisco-nsp@puck.nether.net > > Subject: RE: [c-nsp] Nexus 9300 sflow performance > > > > This message originated from outside your organization. > > > > Make sure you distinguish between N9300 (1st generation) and > > N9300-EX/FX/FX2 (2nd generation). The SFLOW + SPAN limitation applies only > > to the latter. It's also on the latter that Netflow is supported, which can > > run concurrently with SPAN sessions. > > > > Tim > > > > -Original Message- > > From: cisco-nsp On Behalf Of Nick > > Cutting > > Sent: Wednesday, March 20, 2019 6:19 AM > > To: Satish Patel ; cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] Nexus 9300 sflow performance > > > > We use sflow on 9300's, no performan
Re: [c-nsp] Nexus 9300 sflow performance
Thanks Tim, Here is the output of show hardware rate-limiter. ( i believe it's 40k) This is my first time dealing with SFLOW, Can you share some configuration parameter i should use for best practice would be great, What is 1-in-N sample actually? I am planning to use mgmt0 interface for SFLOW and its 1G so i assume it will handle all the flow. do you seeing any concern there? # show hardware rate-limiter Units for Config: packets per second Allowed, Dropped & Total: aggregated since last clear counters Module: 1 R-L Class Config Allowed DroppedTotal +--++---+---+-+ L3 glean 100 0 0 0 L3 mcast loc-grp3000 0 0 0 access-list-log 100 0 0 0 bfd1 0 0 0 exception 50 0 0 0 fex 3000 0 0 0 span 50 0 0 0 dpss6400 0 0 0 sflow 4 25134089890 0 25134089890 On Wed, Mar 20, 2019 at 12:07 PM Tim Stevenson (tstevens) wrote: > > Yes, this is 1st gen. The SFLOW/SPAN restriction should not apply there. > > Re: 60Gbps/24Mpps and SFLOW, SFLOW does not do aggregation of stats for flows > in the switch like netflow does - it's just 1-in-n packet sampling. As such, > the value of "n" should be high enough that both the switch & the collector > are not overburdened. Note that we will rate limit SFLOW copies to the CPU so > that's the first 'bottleneck'. If you end up tail-dropping samples, the > statistical validity of your sampled set goes out the window, so you want to > ensure that 1-in-n is a number that does not hit that rate limiter. > > I don't have a 1st gen switch handy to see what the defaults are for that > value. It should show up in 'sh hardware rate-limiter'. In 9300-EX with 9.2.2 > it's 40Kpps. > > Beyond that, you also want to make sure the collector is able to consume > everything coming from all sflow enabled switches without dropping, for the > same reason mentioned above. > > Hope that helps, > Tim > > > -Original Message- > From: Satish Patel > Sent: Wednesday, March 20, 2019 8:40 AM > To: Nick Cutting > Cc: Tim Stevenson (tstevens) ; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Nexus 9300 sflow performance > > We have cisco Nexus9000 C9396PX > > 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how > to convert it into flows. Could you please share your sflow > configuration if you don't mind? > > I had nfsen in past with 8CPU / 4GB memory but it was damn slow :( > but it could be me.. i will set up again and see if it worth it or > not. > > On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting wrote: > > > > Good point. We waited for the second Gen > > > > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled > > flows levels? > > > > Our NFSEn box is centos > > > > 4 vCPU and 4 GBrams > > > > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per > > sec. > > > > -Original Message- > > From: Tim Stevenson (tstevens) > > Sent: Wednesday, March 20, 2019 11:20 AM > > To: Nick Cutting ; Satish Patel > > ; cisco-nsp@puck.nether.net > > Subject: RE: [c-nsp] Nexus 9300 sflow performance > > > > This message originated from outside your organization. > > > > Make sure you distinguish between N9300 (1st generation) and > > N9300-EX/FX/FX2 (2nd generation). The SFLOW + SPAN limitation applies only > > to the latter. It's also on the latter that Netflow is supported, which can > > run concurrently with SPAN sessions. > > > > Tim > > > > -Original Message- > > From: cisco-nsp On Behalf Of Nick > > Cutting > > Sent: Wednesday, March 20, 2019 6:19 AM > > To: Satish Patel ; cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] Nexus 9300 sflow performance > > > > We use sflow on 9300's, no performance hit - but you cannot use span > > sessions at the same time. > > > > Newer code revisions support netflow, without the SPAN session limitation, > > although we have not tried netflow on the 9300 yet. > > > > For a collector We use NFSEN - opensource, and quite a big install base, > > and it seems to handle a lot of flows. > > > > It supports sflow and netflow as we have a mix, just make sure you add the > > sflow option at build time as it’s a bit funky old linux to add it after. > > > > > > > > -Original Message- > > From: cisco-nsp On Behalf Of Satish > > Patel > > Sent: Wednesday, March 20, 2019 8:21 AM > > To: cisco-nsp@puck.nether.net > > Subject: [c-nsp] Nexu
Re: [c-nsp] Nexus 9300 sflow performance
--- Begin Message --- Yes, this is 1st gen. The SFLOW/SPAN restriction should not apply there. Re: 60Gbps/24Mpps and SFLOW, SFLOW does not do aggregation of stats for flows in the switch like netflow does - it's just 1-in-n packet sampling. As such, the value of "n" should be high enough that both the switch & the collector are not overburdened. Note that we will rate limit SFLOW copies to the CPU so that's the first 'bottleneck'. If you end up tail-dropping samples, the statistical validity of your sampled set goes out the window, so you want to ensure that 1-in-n is a number that does not hit that rate limiter. I don't have a 1st gen switch handy to see what the defaults are for that value. It should show up in 'sh hardware rate-limiter'. In 9300-EX with 9.2.2 it's 40Kpps. Beyond that, you also want to make sure the collector is able to consume everything coming from all sflow enabled switches without dropping, for the same reason mentioned above. Hope that helps, Tim -Original Message- From: Satish Patel Sent: Wednesday, March 20, 2019 8:40 AM To: Nick Cutting Cc: Tim Stevenson (tstevens) ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 9300 sflow performance We have cisco Nexus9000 C9396PX 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how to convert it into flows. Could you please share your sflow configuration if you don't mind? I had nfsen in past with 8CPU / 4GB memory but it was damn slow :( but it could be me.. i will set up again and see if it worth it or not. On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting wrote: > > Good point. We waited for the second Gen > > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled > flows levels? > > Our NFSEn box is centos > > 4 vCPU and 4 GBrams > > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per sec. > > -Original Message- > From: Tim Stevenson (tstevens) > Sent: Wednesday, March 20, 2019 11:20 AM > To: Nick Cutting ; Satish Patel ; > cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] Nexus 9300 sflow performance > > This message originated from outside your organization. > > Make sure you distinguish between N9300 (1st generation) and N9300-EX/FX/FX2 > (2nd generation). The SFLOW + SPAN limitation applies only to the latter. > It's also on the latter that Netflow is supported, which can run concurrently > with SPAN sessions. > > Tim > > -Original Message- > From: cisco-nsp On Behalf Of Nick Cutting > Sent: Wednesday, March 20, 2019 6:19 AM > To: Satish Patel ; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Nexus 9300 sflow performance > > We use sflow on 9300's, no performance hit - but you cannot use span sessions > at the same time. > > Newer code revisions support netflow, without the SPAN session limitation, > although we have not tried netflow on the 9300 yet. > > For a collector We use NFSEN - opensource, and quite a big install base, and > it seems to handle a lot of flows. > > It supports sflow and netflow as we have a mix, just make sure you add the > sflow option at build time as it’s a bit funky old linux to add it after. > > > > -Original Message- > From: cisco-nsp On Behalf Of Satish Patel > Sent: Wednesday, March 20, 2019 8:21 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] Nexus 9300 sflow performance > > This message originates from outside of your organisation. > > Folks, > > I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface > so I’m planning to run sflow on that specific interference to get flow. > > Does it going to create any performances issue on switch? > > Can I run sflow on Layer 3 LACP interface? > > Can anyone suggest free open source sflow collector? > > Sent from my iPhone > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 9300 sflow performance
We have cisco Nexus9000 C9396PX 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how to convert it into flows. Could you please share your sflow configuration if you don't mind? I had nfsen in past with 8CPU / 4GB memory but it was damn slow :( but it could be me.. i will set up again and see if it worth it or not. On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting wrote: > > Good point. We waited for the second Gen > > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled > flows levels? > > Our NFSEn box is centos > > 4 vCPU and 4 GBrams > > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per sec. > > -Original Message- > From: Tim Stevenson (tstevens) > Sent: Wednesday, March 20, 2019 11:20 AM > To: Nick Cutting ; Satish Patel ; > cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] Nexus 9300 sflow performance > > This message originated from outside your organization. > > Make sure you distinguish between N9300 (1st generation) and N9300-EX/FX/FX2 > (2nd generation). The SFLOW + SPAN limitation applies only to the latter. > It's also on the latter that Netflow is supported, which can run concurrently > with SPAN sessions. > > Tim > > -Original Message- > From: cisco-nsp On Behalf Of Nick Cutting > Sent: Wednesday, March 20, 2019 6:19 AM > To: Satish Patel ; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Nexus 9300 sflow performance > > We use sflow on 9300's, no performance hit - but you cannot use span sessions > at the same time. > > Newer code revisions support netflow, without the SPAN session limitation, > although we have not tried netflow on the 9300 yet. > > For a collector We use NFSEN - opensource, and quite a big install base, and > it seems to handle a lot of flows. > > It supports sflow and netflow as we have a mix, just make sure you add the > sflow option at build time as it’s a bit funky old linux to add it after. > > > > -Original Message- > From: cisco-nsp On Behalf Of Satish Patel > Sent: Wednesday, March 20, 2019 8:21 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] Nexus 9300 sflow performance > > This message originates from outside of your organisation. > > Folks, > > I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface > so I’m planning to run sflow on that specific interference to get flow. > > Does it going to create any performances issue on switch? > > Can I run sflow on Layer 3 LACP interface? > > Can anyone suggest free open source sflow collector? > > Sent from my iPhone > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 9300 sflow performance
Good point. We waited for the second Gen Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled flows levels? Our NFSEn box is centos 4 vCPU and 4 GBrams Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per sec. -Original Message- From: Tim Stevenson (tstevens) Sent: Wednesday, March 20, 2019 11:20 AM To: Nick Cutting ; Satish Patel ; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Nexus 9300 sflow performance This message originated from outside your organization. Make sure you distinguish between N9300 (1st generation) and N9300-EX/FX/FX2 (2nd generation). The SFLOW + SPAN limitation applies only to the latter. It's also on the latter that Netflow is supported, which can run concurrently with SPAN sessions. Tim -Original Message- From: cisco-nsp On Behalf Of Nick Cutting Sent: Wednesday, March 20, 2019 6:19 AM To: Satish Patel ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 9300 sflow performance We use sflow on 9300's, no performance hit - but you cannot use span sessions at the same time. Newer code revisions support netflow, without the SPAN session limitation, although we have not tried netflow on the 9300 yet. For a collector We use NFSEN - opensource, and quite a big install base, and it seems to handle a lot of flows. It supports sflow and netflow as we have a mix, just make sure you add the sflow option at build time as it’s a bit funky old linux to add it after. -Original Message- From: cisco-nsp On Behalf Of Satish Patel Sent: Wednesday, March 20, 2019 8:21 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 9300 sflow performance This message originates from outside of your organisation. Folks, I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface so I’m planning to run sflow on that specific interference to get flow. Does it going to create any performances issue on switch? Can I run sflow on Layer 3 LACP interface? Can anyone suggest free open source sflow collector? Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 9300 sflow performance
--- Begin Message --- Make sure you distinguish between N9300 (1st generation) and N9300-EX/FX/FX2 (2nd generation). The SFLOW + SPAN limitation applies only to the latter. It's also on the latter that Netflow is supported, which can run concurrently with SPAN sessions. Tim -Original Message- From: cisco-nsp On Behalf Of Nick Cutting Sent: Wednesday, March 20, 2019 6:19 AM To: Satish Patel ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 9300 sflow performance We use sflow on 9300's, no performance hit - but you cannot use span sessions at the same time. Newer code revisions support netflow, without the SPAN session limitation, although we have not tried netflow on the 9300 yet. For a collector We use NFSEN - opensource, and quite a big install base, and it seems to handle a lot of flows. It supports sflow and netflow as we have a mix, just make sure you add the sflow option at build time as it’s a bit funky old linux to add it after. -Original Message- From: cisco-nsp On Behalf Of Satish Patel Sent: Wednesday, March 20, 2019 8:21 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 9300 sflow performance This message originates from outside of your organisation. Folks, I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface so I’m planning to run sflow on that specific interference to get flow. Does it going to create any performances issue on switch? Can I run sflow on Layer 3 LACP interface? Can anyone suggest free open source sflow collector? Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 9300 sflow performance
Thanks nick, Awesome! I used nfsen in past but it was kind of slow Do you think 60Gbps traffic nfsen can handle easily ? Could you provide your hardware spec where you running Nfsen ? Ntopng is one more tool but not sure about performance. Sent from my iPhone > On Mar 20, 2019, at 9:19 AM, Nick Cutting wrote: > > We use sflow on 9300's, no performance hit - but you cannot use span sessions > at the same time. > > Newer code revisions support netflow, without the SPAN session limitation, > although we have not tried netflow on the 9300 yet. > > For a collector We use NFSEN - opensource, and quite a big install base, and > it seems to handle a lot of flows. > > It supports sflow and netflow as we have a mix, just make sure you add the > sflow option at build time as it’s a bit funky old linux to add it after. > > > > -Original Message- > From: cisco-nsp On Behalf Of Satish Patel > Sent: Wednesday, March 20, 2019 8:21 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] Nexus 9300 sflow performance > > This message originates from outside of your organisation. > > Folks, > > I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface > so I’m planning to run sflow on that specific interference to get flow. > > Does it going to create any performances issue on switch? > > Can I run sflow on Layer 3 LACP interface? > > Can anyone suggest free open source sflow collector? > > Sent from my iPhone > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 9300 sflow performance
We use sflow on 9300's, no performance hit - but you cannot use span sessions at the same time. Newer code revisions support netflow, without the SPAN session limitation, although we have not tried netflow on the 9300 yet. For a collector We use NFSEN - opensource, and quite a big install base, and it seems to handle a lot of flows. It supports sflow and netflow as we have a mix, just make sure you add the sflow option at build time as it’s a bit funky old linux to add it after. -Original Message- From: cisco-nsp On Behalf Of Satish Patel Sent: Wednesday, March 20, 2019 8:21 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 9300 sflow performance This message originates from outside of your organisation. Folks, I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface so I’m planning to run sflow on that specific interference to get flow. Does it going to create any performances issue on switch? Can I run sflow on Layer 3 LACP interface? Can anyone suggest free open source sflow collector? Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 9300 sflow performance
Folks, I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface so I’m planning to run sflow on that specific interference to get flow. Does it going to create any performances issue on switch? Can I run sflow on Layer 3 LACP interface? Can anyone suggest free open source sflow collector? Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
