Antwort: Re: [flow-tools] Cat6500 and Netflow
Shane Dawalt
shane.dawalt at wright.edu
Fri Sep 2 09:27:22 EDT 2005
This chassis is running hybrid-mode, so it's running CatOS 7.6(12) on
the sup2 and IOS 12.1(13)E6 on the MSFC2.
As far as drops are concerned, I don't think there is a correlation
between up-time and the drops. I think it must be something odd in our
traffic pattern.
I ran flow-header across all flow files and grep'd on "lost flows".
This provided a list showing the dropped flows occur during a single
5-minute window every 20 minutes. I can't think what would be doing
this (network-wise), but I think it points to network traffic. Either
that or the ageout algorithm in the switch isn't working right (and I
cannot believe that).
Shane
Sven.Butzek at bahn.de wrote:
>
>
>Hello,
>
>two Questions about the Netflow problem?
>
>Which IOS do you run, and do you notice that whith increased uptime there
>are more flows lost?
>
>Sven
>
>
>Sven Butzek
>DB Systems GmbH
>Netzsystemtechnik-WAN (IOP 11)
>Kleyerstraße 25, 60326 Frankfurt am Main
>Tel. +49 069 265-52619, Fax 069 265-52510, intern 955-
>Mobil: 0160 97435804
>________________________________________________________________
>Internetauftritt der Deutschen Bahn AG >> http://www.db.de
>
>
>
>
>|------------------------------------->
>| Andrew Fort |
>| <afort at choqolat.org> |
>| Gesendet von: |
>| flow-tools-bounces at splint|
>| ered.net |
>| |
>| |
>| 02.09.2005 04:14 |
>|------------------------------------->
> >------------------------------------------------------------------------------------------------------------------------------|
> | |
> | |
> | An:|
> | Shane Dawalt |
> | Kopie:|
> | flow-tools |
> | Blindkopie:|
> | |
> | Thema:|
> | Re: [flow-tools] Cat6500 and Netflow |
> | |
> >------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>Shane Dawalt wrote:
>
>
>> Well, these sup2 are about 2 years old now. <sigh>
>>
>> I have the ip fast aging setting down as low as it will go (32). My
>>guess is that reducing the ip long-duration aging setting probably won't
>>do much good. I guess I could probably apply a filter. (Gee, I guess
>>that means if I change to a full-flow mask, I will probably start
>>dropping lots of flows.)
>>
>> Shane
>>
>>
>
>seems likely enough. netflow on internet mix traffic on anything other
>than a sup720-3bxl is not recommended, and even then, it seems prudent
>not to recommend it if you were billing on that traffic.
>
>the other problem is that on the software that's out there now for all
>sups, and likely 'always' on the sup720-3a/sup2, you can't disable flow
>tcam population for specific interfaces, i.e., it's on all the time.
>
>So, if you have a lot of IP interfaces on the box, and you only care
>about netflow'ing one (or two) of them, you can't prune the amount of
>stuff ending up in the netflow tcam, further exaserbating the problem.
>
>e.g., I have no 'ip route-cache flow' or 'ip flow ingress' anywhere on
>my 7609-sup720 (pfc3a), but i get flow stats (though not packet size
>dist or flow switching cache stats, since that's 'disabled').
>
>crusty#sh ip cach fl
>IP packet size distribution (0 total packets):
> 1-32 64 96 128 160 192 224 256 288 320 352 384 416
>448 480
> .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
>.000 .000
>
> 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
> .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
>
>IP Flow Switching Cache, 0 bytes
> 0 active, 0 inactive, 0 added
> 0 ager polls, 0 flow alloc failures
> Active flows timeout in 30 minutes
> Inactive flows timeout in 15 seconds
> last clearing of statistics never
>Protocol Total Flows Packets Bytes Packets Active(Sec)
>Idle(Sec)
>-------- Flows /Sec /Flow /Pkt /Sec /Flow
>/Flow
>
>SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP
> Pkts
>
>Displaying Hardware entries in Module 1
> SrcIf SrcIPaddress DstIPaddress Pr SrcP
> DstP Pkts
> Vl179 220.130.39.237 220.101.4.220 tcp 3393
> 135 3
> Vl179 24.207.193.248 131.244.3.55 tcp 2053
> smtp 3
> Vl179 203.103.165.70 202.44.98.24 udp
>58940 dns 1
>
>
>-andrew
>_______________________________________________
>flow-tools at splintered.net
>http://www.splintered.net/sw/flow-tools
>
>
>
>
>---------
>
>Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte
>Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder
>diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
>Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die
>unbefugte Weitergabe dieser Mail sind nicht gestattet.
>
>This e-mail may contain confidential and/or privileged information. If you
>are not the intended recipient (or have received this e-mail in error)
>please notify the sender immediately and destroy this e-mail. Any
>unauthorised copying, disclosure or distribution of the material in this
>e-mail is strictly forbidden.
>
>----------
>
>------------------------------------------------------------------------
>
>_______________________________________________
>flow-tools at splintered.net
>http://www.splintered.net/sw/flow-tools
>
>
More information about the flow-tools
mailing list