Thanks Aleksandar!!, i already read that article, but i still don´t know how to estimate the amount of memory and resources that will be consumed, based on my configuration. The problem is that we have one BVI interface per client, so we could have more that 500 BVI interfaces per PE Router, and in every single one needs to have configure Netflow. That document said that will be shared among the LCs, but i don´t get clear how can i estimate that.
The main reason of this is to collect the client flows on a DDOS Arbor Platform. Base on your experience, do you have any recommended parameters values? (timers, cache entries, sampler..). Thanks!.

In case of BVI the L3 processing will be performed on the line card where the packet was received (both for ingress and egress BVI traffic). That can be a LC hosting the attachmeny circuit or the VC transport interface (in case the bridge domain extends across MPLS domain). Rate of Netflow cache collisions (and hence the need to play with timeouts) will depend on whether most non-TCP flows are of short or long duration. Then there's also the total packet rate. I'm sure you figured all this out and are asking for guidance exactly because there are so many variables in the game. Because this all depends so much on traffic pattern, I don't think anyone can give you a good theoretical answer. It's best to start with default cache size and timeout and 'safe' sampling rate (say 1/10000) and monitor.

Btw, the LC CPU will be protected by the netflow policer, so you won't easily kill the LC CPU if you configure high sampling rate. The performance impact will be on NP.

/Aleksandar

Thanks Aleksandar!! My main concern is about the memory resource. As i could see depends on what cache entrie value & type of traffic (IPv4, IPv6...) the memory i will need. As i said,  we have more than 500 BVI, and only 2 LC. I´m taking into account the following formula...

"The IPv4 cache flow record size is sizeof(flow_record_header_st) + 40 = 92 bytes. The IPv6 cache flow record size is sizeof(flow_record_header_st) + 60 = 112 bytes. The MPLS cache flow record size is 92 bytes. Based on the 1 million flow record supported, nfsvr will consume up to (112 + 92)x 1 million = 204 Mbytes of memory for the largest flow size of IPv6+MPLS."

My concern is due to a problem we had in the past, where we saw a memory alarm on a VSM card just when we had enable Netflow. 

"LC/0/3/CPU0:Aug 16 15:31:24.007 : wdsysmon[391]: %HA-HA_WD-4-MEMORY_ALARM : Memory threshold crossed: Minor with 335.608MB free"

VSM line card uses Netflow for exporting NAT translation information. Netfow that you configure on BVI interface will never be executed on VSM line card. You can refer to BRKSPG-2904 from Berlin 2017 to read about feature processing on BVI.

Btw, before 5.3.4 VSM had 4GB RAM allocated to XR VM. It was increased since to 8GB.

RAM size for -TR/-SE  Typhoon and Tomahawk line cards you can find in BRKARC-2003 slide decks from Cisco Live.

/Aleksandar

Thanks Aleksandar!. Based on your experience and best practices, is it good to have a different FM (with different parameters) per type traffic?. For example client/user interfaces (BVI) and Core/Transport interfaces?. 

Regards,

Presuming ingress netflow on access and core, full information about a single flow is obtained as a combination of info from access and core facing line card. To get results that can be compared (even though it's a sampled netflow), I would use the same FM on both.

Thanks Aleksandar!!

Presuming ingress netflow on access and core, full information about a single flow is obtained as a combination of info from access and core facing line card. To get results that can be compared (even though it's a sampled netflow), I would use the same FM on both.