Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

Cat6k MSFC1/PFC1 and MLS flows

I have a Catalyst 6509 (dual Supervisor), running CatOS 6.1(4) and the superrvisors are fitted with MSFC1/PFC1 daughtercards, running IOS 12.1(7a).

I can create an extended access-list (containing Layer 4 information) and apply it to a VLAN interface and (contrary to some documentation) the flow-mask on the MLS-SE remains set at the default "destination-ip" flow, rather than "full-flow". Consequently, with a "destination-ip" flow-mask in place, I have observed packets can bypass the extended ACL on the MSFC because a flow exists in the MLS cache which matches the packet's destination IP address. The flow entry having been created earlier by a packet which matched the ACL.

The documentation suggests that when extended access-lists are in use, then the MLS-RP instructs the MLS-SE to change to "full-flow" mode so that layer 4 information in included in the MLS cache entries. When the Supervisor is set manually to "full-flow", the access-list operates as expected.

With "full-flow" currently enabled on our Supervisors in our production environment, to ensure that ACLs applied to MSFC VLAN interfaces are correctly enforced, we are running with ~24k flows. The documentation suggests that this figure should be kept under 32k flows. However, as traffic increases this figure is likely to exceed 32k. At this point, I understand that the packets will be routed by the MSFC (rather than hardware switched by the PFC hardware). Is this likely to be an issue and is there anything which can be done about it? The MSFCs are currently very lightly loaded.

2 REPLIES
New Member

Re: Cat6k MSFC1/PFC1 and MLS flows

To keep the number of MLS cache entries below 32,000, decrease the aging time up to 8 seconds. If your switch has a lot of short flows used by only a few packets, then you can use fast aging.

If cache entries continue to exceed 32,000, decrease the normal aging time in 64-second increments from the 256-second default.

New Member

Re: Cat6k MSFC1/PFC1 and MLS flows

can u give the URL which descript 6509 MLS to me ?I can't found on TAC.

thanks !

Henry

103
Views
0
Helpful
2
Replies