On Sat, Jul 18, 2009 at 03:05:32AM -0700, Darren Bolding wrote:
Can someone provide a link, or more detail, on the netflow issues. Particularly as they relate to 6509's and sup720's.
The long and short of it is the current hardware (EARL7) is incapable of doing sampling (i.e. looking at 1 out of every Nth packets). It gathers all of the flow data into tcam and THEN does sampling in software, but by that point its already too late because the tcam is exhausted. Turning on sampling actually makes it worse, because it forces a flowmask which fills the tcam even faster. In my experience, even with extremely aggressive aging and a dest only flowmask (discarding all src and L4 port information to make it fit better), it tops out at around 2Gbps of "generic wholesale IP" traffic you can sample. Obviously when it runs out of steam is dependent on the number of flows in your network, you could be much better or much worse depending on your traffic, but the point is it usually doesn't work for most people. Adding DFC daughterboards makes this capacity scale linearly, i.e. you go from 2Gbps system-wide capacity to 2Gbps per slot capacity, but this typically doesn't make any difference. The only recent improvement is that in SXH+ and SRB+ software you can now enable netflow on a per-interface basis rather than a global basis (before this, all traffic was sampled globally regardless of what you configured on the interfaces). This can let you exclude interfaces you don't care about (such as core links) use your limited resources only on interfaces you do care about (such as edge links). Until they come out with the EARL8 SUPs (what have they pushed that back to now, 2011? :P) you are basically SOL in the netflow dept. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)