> Another question : is the netflow caching managed by hardware or by > software ? And so does netflow impact the CPU load ?
Yes, netflow impacts the CPU. Many Cisco devices do netflow in software, which can cause heavy CPU loads. Netflow load varies depending on what kind of supervisor you have in the cat6500, what kinds of traffic loads are crossing the 6500, and what kinds of netflow are enabled (full flow, sampled, etc.). In my experience, the worst case for generating high CPU loads due to netflow has been scanning attacks. Dpending on the attack software every packet can be seen as a new flow, generating high rates of netflow export. One of my favorite test tools for lab tests is to find a copy of the old attack program called "stream.c". This program generates packets from random source addresses with random ports, causing netflow to regard each packet as a new flow. Even though this program isn't a very efficient packet generator, it can still drive Cisco CPUs to high loads for netflow processing. I've noticed that the CPUs on Sup1as and Sup2s can be driven to very high loads (> 90%) due to heavy netflow export under scanning attacks. The Sup720, on the other hand, has a dedicated chunk of TCAM for netflow operations. This has the effect of capping the max CPU load apparently due to the dedicated hardware effectively putting a limit on the max netflow export rate. Lab tests and real world experience shows that the max CPU rates caused by netflow on the Sup720 for traffic generated by scanning attacks ranges around 55-60% load. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
