Are there any disadvantages to aggressive netflow aging?

bgfl-tech · ‎07-04-2011

Hi,

I've enable netflow across the bulk of our 6509 estate and have, after reading various guides, posts and pieces of advice settled on a fairly aggressive set of mls aging timers:-

mls aging long 64

mls aging normal 32

mls aging fast time 16

This seems to be having the desired affect in that TCAM utilisation is not approaching 100% and there doesn't appear to have been any significant increase in CPU usage (the EARL NDE task seems to be using single figure % on the whole).

My question is around whether there are any disadvantages of aggressive aging, i.e. am I missing information by moving away from the default settings and aging flows quicker?

TIA

rsimoni · ‎07-04-2011

Hi Tia,

netflow tuning is similar to QoS tuning meaning that there is no setting which is good for every implementation but it depends on traffic pattern and on the hardware being utilized.

In general you use fast aging when TCAM is getting full and you need to clear space to fit more flows and get more accurate information (if the TCAM is full new flows are not created).

The drawback is that the shorter the flows stay in the TCAM and 'statistically' the higher the CPU will go as in a unit of time it needs to create and delete an higher number of flows (and depending on hw and configuration it might export them to a collector).

If you don't see high CPU condition when you configure a more aggressive aging it means that 1) your hardware can cope with the traffic pattern and 2) there aren't some many new unique flos created in a unit of time.

Riccardo