Solved: NetFlow table size

gryphon55 · ‎06-22-2007

Hello,

I cannot find any documentation which says what happens when a NetFlow table becomes full (6509 switch - 12.2(18)SXF7 IOS). Do incoming packets get dropped or are they routed as a normal IP packet without NetFlow? Alternatively, are older NetFlow entries removed to allow for a new entry to be inserted?

I am wondering what will happen in the case of network attacks where there are huge numbers of sessions in the NetFlow table along with legitimate traffic.

Regards,

Tom Griffin

avmabe · ‎06-27-2007

Tom,

Traffic will keep passing with no impact when the netflow TCAM is at 100% utilization.

The traffic, however, will not be counted or exported via netflow. The flows do age out of the TCAM based on the intervals set by default or manually, but in my practice manipulating the timers do not help because I have so much traffic/flows going through the box.

The traffic that is "missed" by the netflow TCAM is put into a snmp counter that you can use cacti to poll and see how much traffic you are missing on netflow.

But... The packets will still be routed/switched with no affect.

Happy to Help!

View solution in original post

avmabe · ‎06-27-2007

Tom,

Traffic will keep passing with no impact when the netflow TCAM is at 100% utilization.

The traffic, however, will not be counted or exported via netflow. The flows do age out of the TCAM based on the intervals set by default or manually, but in my practice manipulating the timers do not help because I have so much traffic/flows going through the box.

The traffic that is "missed" by the netflow TCAM is put into a snmp counter that you can use cacti to poll and see how much traffic you are missing on netflow.

But... The packets will still be routed/switched with no affect.

Happy to Help!

Konstantin Dunaev · ‎06-27-2007

just to add:

on 6509 (SUP32? SUP720?) IOS12.2 Netflow table is used only for statistics and is not used for traffic switching,

CEF is used for traffic switching.