FLOWMASK_CONFLICT

Unanswered Question
Dec 28th, 2009

mls flow ip full

police flow mask src 1000000 conform-action transmit exceed-action drop

i have also disable the NDE and ip flow-export.

I got the "FLOWMASK_CONFLICT: Features configured on interface " errors

however, when i used:

mls flow ip full

police flow 1000000 conform-action transmit exceed-action drop

without specified the mask, i get no error and the microflow working. Is there any issue with this?

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd803e5017.html does not seem to work

Any advice and thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Mon, 12/28/2009 - 09:18

Hi,

Have a look at this document for more info on flow mask conflict

Sampled NetFlow requires the dest-source-interface flow mask (PFC2) or full-interface flow mask (PFC2 and PFC3). This may cause conflict with other flow-based features on the same interface

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/netflow.html#wp1132875

HTH

Reza

happy12345 Mon, 12/28/2009 - 09:53

Thanks for the reply.

I am using VS-S720-10G running 12.2(33)SXH5 and running "mls flow ip interface-full" :

R1#show run | in flow
ip flow-cache timeout active 5
ip flow ingress layer2-switched vlan 10
mls netflow interface
mls flow ip interface-full

R1#show policy-map

  Policy Map CiscoUBRL
    Class outward_traffic
      police flow mask src-only 1000000 30000 conform-action transmit  exceed-action drop

R1#show class-map outward_traffic
Class Map match-all outward_traffic (id 1)
   Match access-group  10

Router#show ip access-lists 10
Standard IP access list 10
    10 permit 192.168.10.0, wildcard bits 0.0.0.255

interface Vlan10
ip vrf forwarding TEST
ip address 192.168.10.254 255.255.255.0
  ip flow ingress
ip flow egress
mls qos bridged
service-policy input CiscoUBRL

Get the followng errors:

%FM-4-FLOWMASK_REDUCED: Features configured on interface Vlan10 have conflicting flowmask requirements, some features may work in software

Please advise and thanks

Reza Sharifi Mon, 12/28/2009 - 10:11

Here is the error message and the workaround:

Error Message   %FM-4-FLOWMASK_REDUCED: Features configured on interface [chars] have conflicting flowmask requirements, some features may work in software 

Explanation   The configured features for this interface have a flow mask conflict. The traffic on this interface and the interfaces sharing the TCAM label with this interface will be sent to the software.

Recommended Action   Redefine and reapply or unconfigure one or more features to avoid the conflict.

https://www.cisco.com/en/US/docs/ios/12_2sx/system/messages/sm2sx04.html#wp1020288

HTH

Reza

happy12345 Mon, 12/28/2009 - 10:20

I am aware of this error but still could not figure out what cause it. Based on the earlier code snippet, can advise why is the flow mask conflicting?

Giuseppe Larosa Tue, 12/29/2009 - 02:01

Hello,

the possible conflicting commands are:

ip flow ingress
ip flow egress
mls qos bridged
service-policy input CiscoUBRL

try to to start without any command under SVI vlan10, then add one per time until the error appears again.

in this way you can find what command is causing the message.

Hope to help

Giuseppe

happy12345 Tue, 12/29/2009 - 04:00

The command that cause the issue is the service policy input ciscoUBRL

This caused problem (with the mask src-only) : police flow mask src-only 1000000 conform-action transmit  exceed-action drop

This work (without the mask src-only):  police flow 1000000 conform-action transmit  exceed-action drop

Understand NDE and QoS cannot be apply to the same interface, I have also disable the nde (PFC and MSFC using):

For PFC to disable the NDE

no ip flow export layer2-switched vlan 10

show mls nde
Netflow Data Export is Disabled

Netflow Aggregation Disabled

For MSFC to disable the NDE

no ip flow-export source
no ip flow-export version 5

If without the mask src-only, for traffic that matched under the access-list 10 be consider as one single microflow.

Appreciate any help

Actions

This Discussion