Antwort: Re: [flow-tools] Cat6500 and Netflow

Sven.Butzek at bahn.de Sven.Butzek at bahn.de
Fri Sep 2 09:04:52 EDT 2005 




Hello,

two Questions about the Netflow problem?

Which IOS do you run, and do you notice that whith increased uptime there
are more flows lost?

Sven


Sven Butzek
DB Systems GmbH
Netzsystemtechnik-WAN (IOP 11)
Kleyerstraße 25, 60326 Frankfurt am Main
Tel. +49 069 265-52619, Fax 069 265-52510, intern 955-
Mobil: 0160 97435804
________________________________________________________________
Internetauftritt der Deutschen Bahn AG >> http://www.db.de




|------------------------------------->
|            Andrew Fort              |
|            <afort at choqolat.org>     |
|            Gesendet von:            |
|            flow-tools-bounces at splint|
|            ered.net                 |
|                                     |
|                                     |
|            02.09.2005 04:14         |
|------------------------------------->
  >------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                              |
  |                                                                                                                              |
  |                                                                                                                           An:|
  |            Shane Dawalt                                                                                                      |
  |                                                                                                                        Kopie:|
  |            flow-tools                                                                                                        |
  |                                                                                                                   Blindkopie:|
  |                                                                                                                              |
  |                                                                                                                        Thema:|
  |            Re: [flow-tools] Cat6500 and Netflow                                                                              |
  |                                                                                                                              |
  >------------------------------------------------------------------------------------------------------------------------------|




Shane Dawalt wrote:
>
>  Well, these sup2 are about 2 years old now.  <sigh>
>
>  I have the ip fast aging setting down as low as it will go (32).  My
> guess is that reducing the ip long-duration aging setting probably won't
> do much good.  I guess I could probably apply a filter.  (Gee, I guess
> that means if I change to a full-flow mask, I will probably start
> dropping lots of flows.)
>
>  Shane

seems likely enough.  netflow on internet mix traffic on anything other
than a sup720-3bxl is not recommended, and even then, it seems prudent
not to recommend it if you were billing on that traffic.

the other problem is that on the software that's out there now for all
sups, and likely 'always' on the sup720-3a/sup2, you can't disable flow
tcam population for specific interfaces, i.e., it's on all the time.

So, if you have a lot of IP interfaces on the box, and you only care
about netflow'ing one (or two) of them, you can't prune the amount of
stuff ending up in the netflow tcam, further exaserbating the problem.

e.g., I have no 'ip route-cache flow' or 'ip flow ingress' anywhere on
my 7609-sup720 (pfc3a), but i get flow stats (though not packet size
dist or flow switching cache stats, since that's 'disabled').

crusty#sh ip cach fl
IP packet size distribution (0 total packets):
    1-32   64   96  128  160  192  224  256  288  320  352  384  416
448  480
    .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
.000 .000

     512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
    .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
   0 active, 0 inactive, 0 added
   0 ager polls, 0 flow alloc failures
   Active flows timeout in 30 minutes
   Inactive flows timeout in 15 seconds
   last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec)
Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow
/Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP
  Pkts

Displaying Hardware entries in Module 1
  SrcIf            SrcIPaddress          DstIPaddress      Pr       SrcP
      DstP      Pkts
  Vl179            220.130.39.237        220.101.4.220     tcp      3393
      135       3
  Vl179            24.207.193.248        131.244.3.55      tcp      2053
      smtp      3
  Vl179            203.103.165.70        202.44.98.24      udp
58940     dns       1


-andrew
_______________________________________________
flow-tools at splintered.net
http://www.splintered.net/sw/flow-tools




---------

Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte
Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
unbefugte Weitergabe dieser Mail sind nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.

----------

More information about the flow-tools mailing list