Reducing netflow load

Unanswered Question
May 11th, 2010

We want to configure netflow on a 10gigabit uplink on a 6509 with sup720-10g, but before we do we want to make sure we know how to deal with the increase in load should it turn out to be to many flows.

My question is what commands/parameters should be set to reduce the load of netflow aside from the default config?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sean_evershed Tue, 05/11/2010 - 23:44

Joakim,

Have a look at flexible netflow. This gives you more granular control over what data you are capturing. See below.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/prod_white_paper0900aecd804be1cc.html

You may also be interested in this link that discusses the performance impact Netflow has on a network

http://www.ciscosystems.com/en/US/technologies/tk543/tk812/technologies_white_paper0900aecd802a0eb9.html

francisco_1 Fri, 05/14/2010 - 07:05

Could of things that could help you is:

You could set the mimimum IP MLS Flow Masks for the Netflow table on the PFC.  The flow mask determines the granularity of the statistics gathered, which controls the size of the NetFlow table. The less-specific flow masks result in fewer entries in the NetFlow table and the most-specific flow masks result in the most NetFlow entries. For example, if the flow mask is set to interface-source, the NetFlow table contains one entry per source IP address. (Assume that NetFlow is enabled on only one interface). The statistics for all flows from each source are accumulated in the one entry.

Also MLS aging could be used to keep the NetFlow table size below the recommended utilization

The PFC supports the following flow masks:

interface-source—A less-specific flow mask. Statistics for all ingress flows on an interface from each source IP address aggregate into one entry.

interface-destination—A less-specific flow mask. Statistics for all ingress flows on an interface to each destination IP address aggregate into one entry.

interface-destination-source—A more-specific flow mask. Statistics for all ingress flows on an interface between the same source IP address and destination IP address aggregate into one entry.

interface-full—The most-specific flow mask. The PFC creates and maintains a separate table entry for each IP flow on an interface. An interface-full entry includes the source IP address, destination IP address, protocol, and protocol ports

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/netflow.html

Francisco.

jakewilson Sun, 05/16/2010 - 15:26

I'd be interested to learn what happens in your NetFlow collector if you specify only "interface-source" as without full NetFlow v5 information (even if running NetFlow v9) some reporting tools may fail.  If the reporting tool is home grown, it may not matter, but this post makes an intesting point in that it depends on what you want to collect and report on. 

The Catalyst 65XX under a heavy load gets kind of interesting when considering the TCAM issues.  If the switch starts skipping flow exports, the collector should alert you for missed flow sequence numbers. The NetFlow collector should also tell you if it can't keep up. 

As far as increasing the load on the overall network, I wouldn't worry about this as typically NetFlow exports only increase the link utilization by 1-2% unless of course we are talking about a WAN link and multiple exports over the same link.

Actions

This Discussion

Related Content