Hi,
I want to enable Netflow on N5K-5672UP and send it to my Netflow analyzer to detect the DDoS attacks but before that, i want to know if that switch has a built-in in chipset or ASIC for Netflow or not.
this device support with Sampled NetFlow:
Table 9. Software Packaging and Licensing
License Package | Part Number | Features Supported |
FabricPath Services Package: ENHANCED_LAYER2_PKG | N5672-EL2-SSK9 N56128-EL2-SSK9 | FabricPath |
FCoE NPV Package: FCOE_NPV_PKG | N56-FNPV-SSK9 | FCoE NPV |
Layer 3 Base Services Package: LAN_BASE_SERVICES_PKG1 | N56-BAS1K9 | Unlimited static routes and maximum of 256 dynamic routes: ● Static routes ● RIPv2 ● OSPFv2 and OSPFv3 ● EIGRP stub ● HSRP 2 ● VRRP 3 ● IGMP v2 and v3 ● PIMv2 (sparse mode) ● VRF-lite ● RACL ● Network Address Translation (NAT) |
Layer 3 Enterprise Services Package: LAN_ENTERPRISE_SERVICES_PKG4, 5 | N56-LAN1K9 | N56-LAN1K9 license includes the following features in addition to the ones with the N56-BAS1K9 license: ● BGP ● PBR ● Full EIGRP ● PIMv2 (all modes) ● Layer 3 IS-IS 6 ● uRPF ● MSDP ● Sampled NetFlow ● VXLAN flood and learn |
Network Services Package: NETWORK_SERVICES_PKG | N56-SERVICES1K97 | ● Cisco Remote Integrated Services Engine ● Cisco Intelligent Traffic Director (ITD) |
Storage Protocols Services Package: Fibre Channel_FEATURES_PKG ENTERPRISE_PKG | N56-12P-SSK9 N56-16P-SSK9 N5672-72P-SSK9 N56128-128P-SSK9 | ● Native Fibre Channel ● FCoE ● NPV ● Fibre Channel port security ● Fabric binding ● Fibre Channel security protocol (Fibre Channel-SP) authentication |
VM-FEX Package | N56-VMFEX9 | Data Center VM-FEX |
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/datasheet-c78-730760.html
If i enable Netflow during high and volumetric DDoS attacks it does not affect the switch CPU performance?
The device should be preconfigured with COPP to prevent attacks from impacting performance (in case of high rates of traffic destined to the supervisor module or CPU itself).
More on the subject at the following link:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/security/7x/b_5600_Security_Config_7x/b_6k_Security_Config_7x_chapter_01011.html
NetFlow can cause high CPU loads, to prevent issues with the control plane the following limitations apply:
- NetFlow can be configured in the Ingress direction only
- NetFlow packets that reach the CPU are not policed by the ASIC
If extensive traffic is supposed to pass through the device itself then I would recommend setting up Sampled NetFlow
Sampled NetFlow reduces the amount of export data sent to the collector by limiting the number of packets that create flows and the number of flows. It is essential when flows are created on a line card or external device, instead of on the forwarding engine.
Take into account that excessive sampling should be avoided as it increases the amount of exported flow data, especially on the high-speed links, where the network traffic volume is high
More on the subject at the following link:
NetFlow
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/system_management/7x/b_5600_System_Mgmt_Config_7x/configuring_netflow.html
Sampled NetFlow
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/system_management/7x/b_5600_System_Mgmt_Config_7x/configuring_netflow.html#concept_B27322E2A74549A599151970A18B8F93
