Netflow Switching + CEF

Unanswered Question
Jun 24th, 2010

hi,

i was checking today the document "Troubleshooting High CPU Utilization Due to Interrupts". This talks about cpu load due to long access lists and also talks about using netflow switching with CEF to improve the process of access list and switching, this is the text:

"As a general rule of thumb, any access list with over ten lines is considered long.


Repeatedly going over long access lists is very CPU−intensive. With NetFlow switching, if
the flow is already in the cache, you no longer need to check the access list. So in this case,
NetFlow switching would be useful. You can enable NetFlow switching by issuing the ip
route−cache flow command.

Note that if Cisco Express Forwarding and NetFlow are both configured on an interface,
Cisco Express Forwarding will be used to make a switching decision, and NetFlow cache will
be used to speed up ACL checking and accounting purposes."

This is a document for 7500 series. I would like to know if this can be take as a best practice for other cisco platforms and can be used to improve perfomance when long access lists are applied to an interface, or if there is some limitation about using this.

thanks all for your replies.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 06/25/2010 - 03:28

Hello Fernando,

what platform are you intested in? with what IOS image running on it?

to reduce cpu usage caused by ACLs you could think to use turbo ACL

Hope to help

Giuseppe

fernando.vs Sat, 06/26/2010 - 11:00

thanks giuseppe for your reply,

i knew that turbo acls will be mentioned in the reply, for my understanding turbo acls applies for the big platforms like 7200, 7500, 1200, ASA, FWSM, 6500, and others series (pls tell me if there is any exception for this), but what about platforms like ISRs, 3700s, and others, im not sure if you can use turbo acls on this platforms, if that is not the case its ok to use netflow switching with CEF in the interfaces?

thanks again.

Richard Burts Sun, 06/27/2010 - 21:52

Fernando

It would be interesting to know the date of publication of the article that discusses flow switching. I suspect that it is pretty old. There was a switching path for "flow switching" but only for a fairly short time.  Cisco retained flow switching concepts in implementing NetFlow tracking of forwarding of packets and the command ip route-cache flow enables this. But it no longer enables "flow switching" as a packet forwarding method. CEF is now the packet switching method that is used when packets are not process switched.

HTH

Rick

Giuseppe Larosa Sun, 06/27/2010 - 22:30

Hello Fernando,

>>  if that is not the case its ok to use netflow switching with CEF in the interfaces?

this is possible for sure on those high end platforms that you have mentioned I have configured many times successfully.

On ISR it should be possible too as you can find many examples here in the forums

have a look at Cisco IOS 12.4T netflow configuration guide

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_4t/nf_12_4t_book.html

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/cfg_nflow_data_expt.html#wp1058333

We don't disable CEF to enable netflow instead. Rather we can add netflow as a way to perform flow based accounting.

Scalability is achieved by sampling that can be deterministic or random depending on IOS versions and platforms.

So I agree with Rick that flow switching is not current anymore.

to be noted: when I tested turbo ACL on C7500 we could see that turbo ACL traffic was not processed in a distributed fashion on VIP processors but by central processor RSP4. But it was 8 years ago

Hope to help

Giuseppe

Actions

This Discussion