I need to find a way to analyse DoS attacks and see where traffic is coming from and going to or vica-versa. We run Cat 6500's so I need something that will not kill the CPU of the machine which may already be stressed.
Depending on the volume of traffic one thing that can be done is to use the SPAN fetaure to set up a monitoring port for the interface(s) over which the 6500 receives Internet traffic.
Coonect a PC with Etherreal installed and run a capture. Then use the analyse report that show connection endpoints.
You could alos look at enabling NETFLOW accounting whic will show source and destion IP address and port numbers.
I believe NETFLOW now supports sampling so you can control how much data it collects and thus control the associated overhead ( probably requires a PFC)
Please post show version and show module for the 6500 switch facing the Internet.
For packets forwarded by the PFC-2 and PFC-3, Netflow statistics are
*collected* "in hardware", so enabling Netflow (even without sampling) won't have a negative impact on forwarding performance.
However, table maintenance, i.e. aging out old entries, and possibly exporting them when NDE (Netflow export) is enabled, does use CPU cycles. That is particularily noticeable when there is a high number of flows, as is seen during aggressive port scanning or some kinds of DoS.
PFC (MLS) Netflow table maintenance is mostly done by the Switch Processor on the Supervisor, not by the Route Processor (MSFC). NDE (Netflow export from the PFC) used to load the MSFC somewhat, but since or 12.2SXE (I think), NDE is done entirely by the Switch Processor.
There is an upper limit on the amount of maintenance work for MLS Netflow, because the table is "walked" at a fixed rate (~32K entries every second, I think). Therefore I don't think you need to be worried that a flow-heavy DoS may bring your box down. I think there may be small issues for things like reading interface counters when the Switch Processor is heavily loaded, but everything else should work just fine.
Because the PFC/MLS Netflow table has a fixed size (128K entries on the PFC-2/PFC-3, 256K on the PFC-3BXL), and aging out old entries is done on a fixed schedule, the hardware Netflow table will run full when there are too many flows. This just means that some packets cannot be accounted for in Netflow.
We actually had to upgrade all our MSFC2 boxes to SUP720's because NDE caused the CPUs to spike to 100%. There were no impact to traffic being switched, but core routers running at 100% is never a good thing!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.