[c-nsp] Netflow TCAM Full affects exporting ?

Simon Leinen simon at limmat.switch.ch
Wed Dec 7 11:16:10 EST 2005 

Kim Onnel writes:
> Hello,
> I'm getting the below in my log continously,

Continuously is not good.

> Dec  7 15:01:00.194 CAI: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM
> threshold exceeded, TCAM Utilization [99%]

> I understand that my netflow data is more than WS-SUP720-BASE tcam
> can take,

A PFC3BXL upgrade should help, because it has twice as much Netflow
table space.

> my question is: will that affect what i'm exporting, meaning: is
> everything exported or just whats in the TCAM ?

No, what doesn't make it into the Netflow table cannot be exported as
flows.  To see how many packets you miss, you can use

(snapshot)
    swiCE2#sh mls netflow table-contention detailed 
    Earl in Module 5
    Detailed Netflow CAM (TCAM and ICAM) Utilization
    ================================================
    TCAM Utilization             :   40% 
    ICAM Utilization             :   3% 
    Netflow TCAM count           :   106717 
    Netflow ICAM count           :   4 
    Netflow Creation Failures    :   0 
    Netflow CAM aliases          :   0 

(cumulative)
    swiCE2#sh mls netflow table-contention aggregate 
    Earl in Module 5
    Aggregate Netflow CAM Contention Information
    =============================================
    Netflow Creation Failures    :   204670918 
    Netflow Hash Aliases         :   1207 
    
"Netflow Creation Failures" counts the packets that couldn't be
counted because they would have created a new flow, but there was no
space for that new flow in the hardware flow table.  The total of
204670918 should be related to 102788122843 packets that the box has
switched: 0.19% of all packets could not be counted in Netflow.

Note that the output is from a Sup720-3BXL.  Before we upgraded to
-3BXL, we had significantly more misses.  The box switches about
180kpps and 1-2 Gb/s of traffic.

There's also an SNMP MIB which allows you to monitor this
(CISCO-SWITCH-ENGINE-MIB I think).

> Another question: do you guys trust your netflow data(bytes
> transfered) and pkts,... over SNMP ?

Both, mostly.

> Last question: between my 7609 that i'm exporting from and the
> server is an E3, apart from that its utilizing 7 MB of the E3 just
> for netflow data, am i advised to move the server on the same LAN as
> the 7609 for performance improvement ?

That sounds like a good idea, especially because the exported Netflow
traffic can be quite bursty (burst every 1 second), and this will
cause transient queueing on the E3.

Regards,
-- 
Simon.

More information about the cisco-nsp mailing list