Cisco 6509 NetFlow problems and recent improvements will be the main focus in this blog. Since the reporting accuracy of your NetFlow or Flexible NetFlow Analyzer could also depend on the quality of the exported data, hopefully discussing some of the major NetFlow problems with 6500 series will help us better understand how exactly reporting on these switches works. I will also take this opportunity to highlight improvements made in the sup 2T.
NetFlow table overflow: Prior to the sup2T NetFlow, the 6500(s) had an issue where in the event of excessive connection requests, NetFlow TCAM tables would become full and cause a NetFlow overflow. The likelihood of this happening in the supervisor 2T has been significantly reduced due to improved hash efficiency and NetFlow table size increase. When this happens your NetFlow Analyzer will flag the switch for missed flow sequence numbers. I found the following table on the Cisco website. As you can see, the sup 2T collection capacity is much greater than its predecessors.
Egress NetFlow: The flow observation point is crucial in NetFlow collection. Ingress is observed before any kind of traffic shaping and egress is observed after traffic shaping. All supervisors prior to the sup 2T only support ingress NetFlow. With egress support, the sup 2T provides better insight on traffic after shaping. For example, to be able to monitor DSCP markings, you would need to enable egress so that NetFlow information is captured after the final destination of the flow is known.
| Feature | Supervisor 720-10G-3C/3CXL | Supervisor 2T/2TXL |
| NetFlow Table Size |
128K/256K |
512K/1M |
|
NetFlow Hash Efficiency |
90% |
99% |
|
MaxFlow Entries |
3328M |
13M |
|
Egress NetFlow |
No |
Yes |
|
Sampled NetFlow |
Yes (software) |
Yes (hardware) |
|
Flexible NetFlow |
No |
Yes |
|
TCP Flags |
No |
Yes |
|
Yielding NDE |
No |
Yes |
|
EEM Integration |
No |
Yes |
Flexible NetFlow: I found the following on the Cisco website “The Supervisor Engine 2T introduces support for Flexible NetFlow to the Cisco Catalyst 6500 Series Switch. Flexible NetFlow provides a NetFlow architecture that can track multiple NetFlow applications simultaneously. For example, a user can create simultaneous and separate Flow Monitors for security analysis and traffic analysis. Previous generations of Supervisors for the Cisco Catalyst 6500 Series Switch were unable to provide this level of flexibility.“
Sampled NetFlow: Sampling was implemented mainly to provide a more efficient use of NetFlow tables; however, because in PFC3 based supervisors, sampling is done in software and was never as efficient as expected. The sup2T implementation does sampling in hardware which is a much more efficient implementation.
I hope you enjoyed this blog, please don’t hesitate to share your experience with Flexible NetFlow on the 6509 catalyst. We would be pleased to hear your feedback.