Accepted Solutions
Hello Zoltan,
>> Does anyone know what would cause this kind of issues?
traffic variety can cause this. the Netflow TCAM table is of limited size so in an attempt to track multiple flows for netflow accounting purposes the table fills and there was an impact.
I see DFC2 in the messages, so my guess is that your C6500 uses a supervisor2, MSFC2, PFC2 combination.
the Netflow TCAM size for sup2/MSFC2 + PFC2 is reported here:
An explanation of MLS timers for netflow table is here:
To keep the NetFlow table size below the recommended utilization, enable the following parameters when using the mls aging command:
•
normal—Configures an inactivity timer. If no packets are received on a flow within the duration of the timer, the flow entry is deleted from the table.
•fast aging—Configures an efficient process to age out entries created for flows that only switch a few packets, and then are never used again. The fast aging parameter uses the time keyword value to check if at least the threshold keyword value of packets have been switched for each flow. If a flow has not switched the threshold number of packets during the time interval, then the entry is aged out.
•long—Configures entries for deletion that have been active for the specified value even if the entry is still in use. Long aging is used to prevent counter wraparound, which can cause inaccurate statistics.
The suggestion for tuning is the following:
If you need to enable MLS fast aging time, initially set the value to 128 seconds. If the size of the NetFlow table continues to grow over the recommended utilization, decrease the setting until the table size stays below the recommended utilization. If the table continues to grow over the recommended utilization, decrease the normal MLS aging time.
You can only attempt to prevent the filling of the table and the price to pay is less accuracy in netflow accounting.
By using aggressive timers you can "miss" some flows because they last for a short time or they are not formed by enough packets in a given time window as explained above, so they are removed from the table and so they are not exported to netflow collector.
There is a feature called NDE flow filter but it influences only what flows are exported to NFC not what is in the netflow TCAM table.
see
It is a trade off between accuracy and scalability / stability of device.
Other users have reported similar issues,may be without an impact on traffic forwarding.
Where is placed the C6500 in a service provider POP, in an internet exchange point?
It is not traffic volume that counts but how many IP flows classified per your NDE mask are seen.
So another point to investigate is what flow mask you are using now, a more detailed definition of flows generated more entries in the table.
see
This is probably first aspect to check. As other users have reported there are cases where different flow masks would be required by different features.
Hope to help
Giuseppe
Hello Zoltan,
you have provided a lot of details.
You have PFC3B sup720 and this is good news.
Note that the use of the most detailed flowmask
mls flow ip interface-full
is going to create more entries in the table.
Le'ts make an example: if we define an IP flow only using IP SA and IP DA any conversation between two given hosts is classified as a single flow in the table.
If we define a flow using more details for example adding upper layer protocol and ports we have a line for telnet, one line for web access and so on.
so depending on what features are on the device a flow mask like
destination-source—A more-specific flow mask. The PFC maintains one entry for each source and destination IP address pair. Statistics for all flows between the same source IP address and destination IP address aggregate into this entry.
can be of help in containing size of netflow TCAM table.
you are currently using the most specific flowmask
full—A more-specific flow mask. The PFC creates and maintains a separate table entry for each IP flow. A full entry includes the source IP address, destination IP address, protocol, and protocol ports.
•full-interface—The most-specific flow mask. Adds the source VLAN SNMP ifIndex to the information in the full-flow mask.
Check table 50-1 and analyze configuration of your device. IF possible moving to flow mask destination-source can be of help.
or also to full instead of full-interface.
Hope to help
Giuseppe
