Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
1
Replies

Nbar and Netflow in a C6509 Switch

Marcos Hidalgo Fernandez
Level 1
Level 1

‎12-30-2010 01:12 AM - edited ‎03-06-2019 02:45 PM

Hi,

We want to get traffic statistics from a C6509 Switch Vlan (SVI) and we are thinking about activating Netflow or Nbar.

Chassis WS-C6509-E

Supervisor  VS-S720-10G

IOS: s72033_rp-ADVENTERPRISEK9_WAN-VM), Version 12.2(33)SXI5

Line Card 1/2 : WS-X6716-10GE

Configuration:

interface Vlan80
ip address X.X.X.X Y.Y.Y.Y

interface Port-channel201
description CONEXION FIREWALL

switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,80
switchport mode trunk
end

interface GigabitEthernet1/2/1
  switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,80
switchport mode trunk
channel-group 201 mode on
end

interface GigabitEthernet1/2/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,80
switchport mode trunk
channel-group 201 mode on
end

We have the following questions:

1. Is Nbar feature supported by the C6509 Platform? The command is available :

CORE-SW(config)#int vlan 76
CORE-SW(config-if)#ip nbar pro
CORE-SW(config-if)#ip nbar protocol-discovery

2. If it is supported....how the nbar feature can impact in our network performance? I have read that it is advisable  NOT to use NBAR capabilities on the Catalyst 6500 because packets would be processed in software instead of hardware.

3. I have read that Netflow functionality process packets in hardware  in C6509 Switches with VS-S720-10G. Is it right? The traffic we want to analyse flows through a WS-X6716-10GE card. This traffic would be proccess in hardware too?

4. What could be the impact of activating Netflow in our network performance? Do you recommend to use Netflow capabilities?

5. What Netflow versión should I use if I want the least impact in network performance?

Thank you for your replies!!

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-30-2010 07:20 AM

Hello Marcos,

stay away from NBAR on a sup720 supervisor is not meant to be used in this high end systems it should be not supported and if it is supported would make the system unusable.

NBAR could be used only on sup32 systems.

netflow is the way to go and yes it is performed in hardware with not noticeable performance penalties.

1) no

2) no

3) yes

4)  the real risk with a device like C6500 with sup720 and better is that the netflow cache that hosts observed IP flows can be little in comparison with the variety of flows on the physical interfaces. This is specially true for links facing the internet and it can  become more limiting depending on the flow mask settings (they decide how the NFC table is used and some settings can fill the table very quickly).

If in your case your monitoring data center traffic with a low number of very high traffic volume flows you should be fine otherwise you may face the problem described above.

Some mitigation of the MFC table exastion problem can be achieved by modfying some timers

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/netflow.html

and MLS aging time more specifically:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/netflow.html#wp1147986

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card