I cannot find any documentation which says what happens when a NetFlow table becomes full (6509 switch - 12.2(18)SXF7 IOS). Do incoming packets get dropped or are they routed as a normal IP packet without NetFlow? Alternatively, are older NetFlow entries removed to allow for a new entry to be inserted?
I am wondering what will happen in the case of network attacks where there are huge numbers of sessions in the NetFlow table along with legitimate traffic.
Traffic will keep passing with no impact when the netflow TCAM is at 100% utilization.
The traffic, however, will not be counted or exported via netflow. The flows do age out of the TCAM based on the intervals set by default or manually, but in my practice manipulating the timers do not help because I have so much traffic/flows going through the box.
The traffic that is "missed" by the netflow TCAM is put into a snmp counter that you can use cacti to poll and see how much traffic you are missing on netflow.
But... The packets will still be routed/switched with no affect.
Happy to Help!