Netflow: Table usage HIGH

schimeha1977 · ‎03-14-2008

Hi !

I enabled Netflow on one of our C7613 to monitor traffic on VLAN 7 (about 1Gbit throughput)

What I did is the following:

mls netflow usage notify 80 120

mls flow ip interface-full

mls nde sender version 5

ip flow-cache timeout inactive 30

ip flow-cache timeout active 5

ip flow-export source Vlan210

ip flow-export version 5 origin-as

ip flow-export destination xxx.xxx.xxx.xxx 9999

interface vlan 7

ip route-cache flow

I enabled it ONLY on Vlan 7 ...

The output of "show ip cache flow" is the following:

===========================================================

sh ip cache flow

-------------------------------------------------------------------------------

MSFC:

IP packet size distribution (168696 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .000 .999 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes

2 active, 65534 inactive, 193 added

21492 ager polls, 0 flow alloc failures

Active flows timeout in 5 minutes

Inactive flows timeout in 30 seconds

IP Sub Flow Cache, 270664 bytes

3 active, 16381 inactive, 305 added, 193 added to flow

0 alloc failures, 0 force free

1 chunk, 0 chunks added

last clearing of statistics 02:25:05

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

UDP-other 120 0.0 1411 74 19.4 140.1 20.1

ICMP 73 0.0 1 93 0.0 0.0 30.5

Total: 193 0.0 877 74 19.4 87.1 24.0

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Vl7 172.16.7.149 Local 172.16.7.60 11 0404 00A1 599

Vl7 172.16.7.61 Null 224.0.0.9 11 0208 0208 6

-------------------------------------------------------------------------------

PFC:

Displaying Hardware entries in Module 7

SrcIf SrcIPaddress DstIPaddress Pr SrcP DstP Pkts

Vl5 77.116.196.187 77.116.68.135 tcp 2035 445 0

Vl7 77.117.33.13 86.56.255.149 tcp 1837 6882 0

Vl5 77.117.33.13 86.56.255.149 tcp 1837 6882 526

Vl7 77.116.122.3 74.125.8.92 tcp 1883 www 0

Vl7 192.168.74.19 77.116.183.66 tcp 445 20928 1

Vl7 77.116.253.77 194.204.68.222 tcp 3024 www 0

Vl6 77.117.80.137 198.63.210.216 tcp 2478 www 106

Vl5 77.116.169.244 209.47.169.163 tcp 3440 www 4

Vl7 77.117.80.137 198.63.210.216 tcp 2478 www 0

etc....

==================================================================================

also ATM Interfaces and other VLAN Interface are shown there - but I enabled it only on VLAN 7...

AND...

==================================================00

Table usage is very high...

sh mls netflow usage

Netflow table usage notification enabled at 80% every 120 seconds

Netflow table utilization of module 7 is 76%

==================================================

Could you please help me and tell me why there are other VLAN interfaces in the "show ip cache flow" output...

and Table usage is so high - it has already been at 99%...

thx

hans

Jan Nejman · ‎03-14-2008

Hello,

if you enable mls, then netflow is globally enabled on all interfaces. "ip route-cache flow" only enables netflow accounting on L3 interfaces. mls account L2 and cannot be enabled on single interface.

I recommend you decrease active and inactive timeout (i.e. inactive on 10-15 sec, active 1-2 minute). It can little reduce utilization of TCAM table.

Jan

Caligare, Co.

http://www.caligare.com/

schimeha1977 · ‎03-15-2008

Hi !

are you sure ? I did this:

ip flow-cache entries 150000

ip flow-cache timeout inactive 10

ip flow-cache timeout active 2

mls ip multicast flow-stat-timer 9

mls netflow usage notify 80 300

no mls flow ip

no mls flow ipv6

ip flow-export source vlanxx

ip flow-export version 5

ip flow-export destination xxx.xxx.xxx.xxx 9999

But then entries disappeared at all:

#sh ip cache flow

-------------------------------------------------------------------------------

MSFC:

IP packet size distribution (916353 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .000 .999 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 10124876 bytes

2 active, 149998 inactive, 929 added

111947 ager polls, 0 flow alloc failures

Active flows timeout in 2 minutes

Inactive flows timeout in 10 seconds

IP Sub Flow Cache, 619078 bytes

3 active, 37497 inactive, 1560 added, 929 added to flow

0 alloc failures, 0 force free

1 chunk, 2 chunks added

last clearing of statistics 13:16:17

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-WWW 3 0.0 1 960 0.0 0.0 30.8

TCP-other 12 0.0 1 606 0.0 0.0 30.8

UDP-other 514 0.0 1785 74 19.2 176.3 16.5

ICMP 401 0.0 1 93 0.0 0.0 30.2

Total: 930 0.0 987 74 19.2 97.4 22.7

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Vl7 172.16.7.149 Local 172.16.7.60 11 0404 00A1 928

Vl7 172.16.7.61 Null 224.0.0.9 11 0208 0208 1

-------------------------------------------------------------------------------

PFC:

Displaying Hardware entries in Module 7

SrcIf SrcIPaddress DstIPaddress Pr SrcP DstP Pkts

Vl7 172.16.7.52 224.0.0.2 udp 1985 1985 279

Vl7 172.16.7.51 224.0.0.2 udp 1985 1985 253

-- 0.0.0.0 0.0.0.0 0 0 0 1439107

Vl7 172.16.7.61 224.0.0.2 udp 1985 1985 277

Vl7 172.16.7.61 224.0.0.9 udp rip rip 27