I need to find a way to analyse DoS attacks and see where traffic is coming from and going to or vica-versa. We run Cat 6500's so I need something that will not kill the CPU of the machine which may already be stressed.
For packets forwarded by the PFC-2 and PFC-3, Netflow statistics are
*collected* "in hardware", so enabling Netflow (even without sampling) won't have a negative impact on forwarding performance.
However, table maintenance, i.e. aging out old entries, and possibly exporting them when NDE (Netflow export) is enabled, does use CPU cycles. That is particularily noticeable when there is a high number of flows, as is seen during aggressive port scanning or some kinds of DoS.
PFC (MLS) Netflow table maintenance is mostly done by the Switch Processor on the Supervisor, not by the Route Processor (MSFC). NDE (Netflow export from the PFC) used to load the MSFC somewhat, but since or 12.2SXE (I think), NDE is done entirely by the Switch Processor.
There is an upper limit on the amount of maintenance work for MLS Netflow, because the table is "walked" at a fixed rate (~32K entries every second, I think). Therefore I don't think you need to be worried that a flow-heavy DoS may bring your box down. I think there may be small issues for things like reading interface counters when the Switch Processor is heavily loaded, but everything else should work just fine.
Because the PFC/MLS Netflow table has a fixed size (128K entries on the PFC-2/PFC-3, 256K on the PFC-3BXL), and aging out old entries is done on a fixed schedule, the hardware Netflow table will run full when there are too many flows. This just means that some packets cannot be accounted for in Netflow.
We actually had to upgrade all our MSFC2 boxes to SUP720's because NDE caused the CPUs to spike to 100%. There were no impact to traffic being switched, but core routers running at 100% is never a good thing!