Cisco 7600 (7609) as a core BGP router.

Richard A Steenbergen ras at
Sat Jul 18 19:00:02 UTC 2009

On Sat, Jul 18, 2009 at 03:05:32AM -0700, Darren Bolding wrote:
> Can someone provide a link, or more detail, on the netflow issues.
> Particularly as they relate to 6509's and sup720's.

The long and short of it is the current hardware (EARL7) is incapable of
doing sampling (i.e. looking at 1 out of every Nth packets). It gathers
all of the flow data into tcam and THEN does sampling in software, but
by that point its already too late because the tcam is exhausted.
Turning on sampling actually makes it worse, because it forces a
flowmask which fills the tcam even faster.

In my experience, even with extremely aggressive aging and a dest only
flowmask (discarding all src and L4 port information to make it fit
better), it tops out at around 2Gbps of "generic wholesale IP" traffic
you can sample. Obviously when it runs out of steam is dependent on the
number of flows in your network, you could be much better or much worse
depending on your traffic, but the point is it usually doesn't work for
most people. Adding DFC daughterboards makes this capacity scale 
linearly, i.e. you go from 2Gbps system-wide capacity to 2Gbps per slot 
capacity, but this typically doesn't make any difference.

The only recent improvement is that in SXH+ and SRB+ software you can 
now enable netflow on a per-interface basis rather than a global basis 
(before this, all traffic was sampled globally regardless of what you 
configured on the interfaces). This can let you exclude interfaces you 
don't care about (such as core links) use your limited resources only on 
interfaces you do care about (such as edge links).

Until they come out with the EARL8 SUPs (what have they pushed that back 
to now, 2011? :P) you are basically SOL in the netflow dept.

Richard A Steenbergen <ras at>
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the NANOG mailing list