On Tue, Feb 29, 2000 at 12:06:02AM -0300, Rubens Kuhl Jr. wrote:
Other stuff: NetFlow and CEF Fun stuff. Netflow: Don't think of NetFlow in any other capacity other than for trace-back capabilities:
Thanks for the long answer, but this question was actually on how the router performance impact of CAR or TCP-Intercept changes between using CEF switching (ip route-cache cef, default) and CEF-Flow switching (ip route-cache cef + ip-route cache flow). Although NetFlow impacts router performance a little, running CEF-Flow makes large access-list processing faster than just running CEF; I think some other features (IPSec ?) also have performance gains. I was wondering whether CAR and/or TCP-Intercept would have better performance with CEF-Flow.
The answer to the specific question is, NetFlow has absolutily no impact on CAR or TCP Intercept. Committed Access Rates are based on probability dropping of packets in a queue and has nothing to do with flows. TCP Intercept tracks flows on its own, to my knowledge there is nothing it can use from NetFlow. Generally speaking, CEF will give you the best performance when dealing with high-volume packet DoS. Flow is useful for gaining information, but apart from access-list considerations it has another layer of information used in switching, therefore it will be a bit slower (l3 src/dst + l4 protocol and ports as opposed to just l3 dst) for other purposes. Be careful with flow when dealing with random src or random dst (for example, an attack which elicits a victim system to send replies to random destinations) attacks, or it may not help you much (as the flow cache gets max'd). -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - Network Architect, Vienna VA