FLOWMASK_CONFLICT

Unanswered Question
Dec 28th, 2009
User Badges:

mls flow ip full


police flow mask src 1000000 conform-action transmit exceed-action drop


i have also disable the NDE and ip flow-export.


I got the "FLOWMASK_CONFLICT: Features configured on interface " errors




however, when i used:


mls flow ip full


police flow 1000000 conform-action transmit exceed-action drop




without specified the mask, i get no error and the microflow working. Is there any issue with this?




http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd803e5017.html does not seem to work




Any advice and thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Mon, 12/28/2009 - 09:18
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi,


Have a look at this document for more info on flow mask conflict



Sampled NetFlow requires the dest-source-interface flow mask (PFC2) or full-interface flow mask (PFC2 and PFC3). This may cause conflict with other flow-based features on the same interface


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/netflow.html#wp1132875


HTH

Reza

happy12345 Mon, 12/28/2009 - 09:53
User Badges:

Thanks for the reply.


I am using VS-S720-10G running 12.2(33)SXH5 and running "mls flow ip interface-full" :


R1#show run | in flow
ip flow-cache timeout active 5
ip flow ingress layer2-switched vlan 10
mls netflow interface
mls flow ip interface-full


R1#show policy-map


  Policy Map CiscoUBRL
    Class outward_traffic
      police flow mask src-only 1000000 30000 conform-action transmit  exceed-action drop


R1#show class-map outward_traffic
Class Map match-all outward_traffic (id 1)
   Match access-group  10


Router#show ip access-lists 10
Standard IP access list 10
    10 permit 192.168.10.0, wildcard bits 0.0.0.255


interface Vlan10
ip vrf forwarding TEST
ip address 192.168.10.254 255.255.255.0
  ip flow ingress
ip flow egress
mls qos bridged
service-policy input CiscoUBRL


Get the followng errors:


%FM-4-FLOWMASK_REDUCED: Features configured on interface Vlan10 have conflicting flowmask requirements, some features may work in software



Please advise and thanks

Reza Sharifi Mon, 12/28/2009 - 10:11
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Here is the error message and the workaround:


Error Message   %FM-4-FLOWMASK_REDUCED: Features configured on interface [chars] have conflicting flowmask requirements, some features may work in software 

Explanation   The configured features for this interface have a flow mask conflict. The traffic on this interface and the interfaces sharing the TCAM label with this interface will be sent to the software.

Recommended Action   Redefine and reapply or unconfigure one or more features to avoid the conflict.


https://www.cisco.com/en/US/docs/ios/12_2sx/system/messages/sm2sx04.html#wp1020288


HTH

Reza

happy12345 Mon, 12/28/2009 - 10:20
User Badges:

I am aware of this error but still could not figure out what cause it. Based on the earlier code snippet, can advise why is the flow mask conflicting?

Giuseppe Larosa Tue, 12/29/2009 - 02:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,


the possible conflicting commands are:


ip flow ingress
ip flow egress
mls qos bridged
service-policy input CiscoUBRL


try to to start without any command under SVI vlan10, then add one per time until the error appears again.


in this way you can find what command is causing the message.


Hope to help

Giuseppe

happy12345 Tue, 12/29/2009 - 04:00
User Badges:

The command that cause the issue is the service policy input ciscoUBRL


This caused problem (with the mask src-only) : police flow mask src-only 1000000 conform-action transmit  exceed-action drop

This work (without the mask src-only):  police flow 1000000 conform-action transmit  exceed-action drop


Understand NDE and QoS cannot be apply to the same interface, I have also disable the nde (PFC and MSFC using):


For PFC to disable the NDE

no ip flow export layer2-switched vlan 10


show mls nde
Netflow Data Export is Disabled


Netflow Aggregation Disabled


For MSFC to disable the NDE

no ip flow-export source
no ip flow-export version 5



If without the mask src-only, for traffic that matched under the access-list 10 be consider as one single microflow.


Appreciate any help

Actions

This Discussion