Cisco’s NetFlow NBAR exports don’t impact the CPU of routers, however, if you’re running a version of IOS prior to v15.1, it definitely can!  A customer called in reporting network performance issues on the T-1 even though the interfaces were under utilized.  When we looked at the CPU of the router, it was pretty busy.  Notice below we went back to traditional NetFlow at 11AM and that seemed to fix the CPU issue. The customer then reported that performance went back to normal.

The above CPU trend is a good example of why we still need to monitor with SNMP and not just rely on NetFlow for interface monitoring. The two really complement each other.
Cisco posted a page on Network Based Application Recognition Performance Analysis.

It details how performance will be impacted by NBAR on several hardware platforms. Basically, you need to be mindful of the hardware you are enabling NetFlow NBAR on before using it for network traffic analysis.

If your curious, the customer had the following router:
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 30-Sep-09 03:50 by prod_rel_team

What can be learned?
NetFlow NBAR is not SNMP NBAR. SNMP NBAR doesn’t provide the host information most people are looking for.  Upgrade your router IOS to v15.1 and start taking advantage of deep packet inspection by enabling NetFlow NBAR.

I hope the above will help some of you.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply