12-30-2010 01:12 AM - edited 03-06-2019 02:45 PM
Hi,
We want to get traffic statistics from a C6509 Switch Vlan (SVI) and we are thinking about activating Netflow or Nbar.
Chassis WS-C6509-E
Supervisor VS-S720-10G
IOS: s72033_rp-ADVENTERPRISEK9_WAN-VM), Version 12.2(33)SXI5
Line Card 1/2 : WS-X6716-10GE
Configuration:
interface Vlan80
ip address X.X.X.X Y.Y.Y.Y
interface Port-channel201
description CONEXION FIREWALL
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,80
switchport mode trunk
end
interface GigabitEthernet1/2/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,80
switchport mode trunk
channel-group 201 mode on
end
interface GigabitEthernet1/2/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,80
switchport mode trunk
channel-group 201 mode on
end
We have the following questions:
1. Is Nbar feature supported by the C6509 Platform? The command is available :
CORE-SW(config)#int vlan 76
CORE-SW(config-if)#ip nbar pro
CORE-SW(config-if)#ip nbar protocol-discovery
2. If it is supported....how the nbar feature can impact in our network performance? I have read that it is advisable NOT to use NBAR capabilities on the Catalyst 6500 because packets would be processed in software instead of hardware.
3. I have read that Netflow functionality process packets in hardware in C6509 Switches with VS-S720-10G. Is it right? The traffic we want to analyse flows through a WS-X6716-10GE card. This traffic would be proccess in hardware too?
4. What could be the impact of activating Netflow in our network performance? Do you recommend to use Netflow capabilities?
5. What Netflow versión should I use if I want the least impact in network performance?
Thank you for your replies!!
12-30-2010 07:20 AM
Hello Marcos,
stay away from NBAR on a sup720 supervisor is not meant to be used in this high end systems it should be not supported and if it is supported would make the system unusable.
NBAR could be used only on sup32 systems.
netflow is the way to go and yes it is performed in hardware with not noticeable performance penalties.
1) no
2) no
3) yes
4) the real risk with a device like C6500 with sup720 and better is that the netflow cache that hosts observed IP flows can be little in comparison with the variety of flows on the physical interfaces. This is specially true for links facing the internet and it can become more limiting depending on the flow mask settings (they decide how the NFC table is used and some settings can fill the table very quickly).
If in your case your monitoring data center traffic with a low number of very high traffic volume flows you should be fine otherwise you may face the problem described above.
Some mitigation of the MFC table exastion problem can be achieved by modfying some timers
see
and MLS aging time more specifically:
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide