I have a pair of Cisco 6509 routers, which are monitored via SNMP (with Observium, to be accurate).
Today we spotted a peak of CPU usage for a Switching Processor. The peak can be correlated with a peak of inbound unicast on a port named "NDE_vlan1014" (and "NDE_vlan1014" on the other router).
I understand from google that NDE refers to Netflow, but I can find nowhere an explanation on what is actually graphed for that interface. It is visible only via SNMP (not in a sh ip int br
) and I have no vlan 1016 nor 1014.
I don't see any peak in my netflow analyzer (as-stats) either…
So the question is : what is this "NDE_vlan" interface ?
Best Answer
NDE_vlan
is one of the Catalyst 6500's hidden vlans. The 6500 allocates internal vlans for a lot of different functions, and those vlans cant be used for real user data after the 6500 snarfs it.If you want to see the internal vlans, use
show vlan internal usage
... my particular 6500 doesn't run netflow export, but you can see it on your switch with that command.When the 6500 exports flows to a collector, it uses the DFCs or the MSFC CPU to send the packets. If you're seeing CPU spikes due to netflow export, you either should:
Informational: Sampled netflow
Typically the syntax for sampled netflow on the 6500 is
mls sampling time-based 64
; this samples one out of every 64 packets. The values for sampled netflow are limited...However, if you sample your netflow, obviously you might miss some packets you care about, so it's really a judgment call as to whether it can solve your problem. It all depends on why you're using netflow. For security monitoring, you can't really afford to drop packets (thus netflow on a busy 6500 is the wrong answer). If you're graphing application utilization, sampled netflow could be a useful tool (assuming you adjust your graphs for the sampling interval).