[nsp] Cat6509 MSFC1 interface stats.

James Kilton kilton9 at yahoo.com
Wed Dec 18 19:07:22 EST 2002 

Hello.

Does the PFC always do most of the switching, or is
this only when MLS is enabled?  I ask because the MSFC
is using CEF, and MLS is disabled.

#sh ip cef sum
IP Distributed CEF with switching (Table Version
2979), flags=0x0
  182 routes, 0 reresolve, 0 unresolved (0 old, 0
new), peak 12
  185 leaves, 47 nodes, 71080 bytes, 2981 inserts,
2796 invalidations
  0 load sharing elements, 0 bytes, 0 references
  universal per-destination load sharing algorithm, id
73C70EA9
  2 CEF resets, 1 revisions of existing leaves
  Resolution Timer: Exponential (currently 1s, peak
2s)
  1 in-place/0 aborted modifications
  refcounts:  6134 leaf, 5836 node
Adjacency Table has 119 adjacencies

What's strange to me though, is that as per this
document
(http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a0080092389.shtml),
CEF isn't supported on the SUP1A, which is what we're
using.  Yet the above output seems to indicate
otherwise, and a "show ip int vlan 101" shows that "IP
CEF switching is enabled".  Was CEF made possible on
SUP1A by an IOS release after the above article was
written?  

In any case... If the layer 3 interface counters don't
reflect packets that are CEF switched, then perhaps
the numbers I'm getting make sense.  Anyone know if
this is the case?


--- Dmitry Safronov <dumone@zenon.net> wrote:
> Hello James,
> 
> The most switching is done on PFC card, so the
> better way is getting
> real counters from ethernet interface, to which you
> have connected
> firewall.
> 
> 
> Wednesday, December 18, 2002, 5:18:43 AM, you wrote:
> 
> JK> I see the counters, but they don't all represent
> JK> reality.  In the example given below, the
> majority of
> JK> the traffic should be inbound, but the opposite
> is
> JK> true when looking at VLAN 101's counters:
> 
> JK> #sh int vlan101
> JK> Vlan101 is up, line protocol is up 
> JK>   Hardware is Cat6k RP Virtual Ethernet, address
> is
> JK> 0030.9633.1ca4 (bia 0030.9633.1ca4)
> JK>   Internet address is x.x.x.x/29
> JK>   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
> JK>      reliability 255/255, txload 1/255, rxload
> 1/255
> JK>   Encapsulation ARPA, loopback not set
> JK>   ARP type: ARPA, ARP Timeout 04:00:00
> JK>   Last input 00:00:00, output never, output hang
> never
> JK>   Last clearing of "show interface" counters
> never
> JK>   Input queue: 0/75/0/6
> (size/max/drops/flushes);
> JK> Total output drops: 0
> JK>   Queueing strategy: fifo
> JK>   Output queue :0/40 (size/max)
> JK>   5 minute input rate 0 bits/sec, 0 packets/sec
> JK>   5 minute output rate 7000 bits/sec, 8
> packets/sec
> JK>      10713367 packets input, 697925445 bytes, 0
> no
> JK> buffer
> JK>      Received 10178576 broadcasts, 0 runts, 0
> giants,
> JK> 0 throttles
> JK>      0 input errors, 0 CRC, 0 frame, 0 overrun,
> 0
> JK> ignored
> JK>      263725465 packets output, 4248369389 bytes,
> 0
> JK> underruns
> JK>      0 output errors, 1 interface resets
> JK>      0 output buffer failures, 0 output buffers
> JK> swapped out
> 
> JK> Note how much higher the output counters are,
> and that
> JK> almost all input packets are broadcasts (which
> makes
> JK> even less sense because there shouldn't be any
> JK> broadcasts on that segment, unless these are
> HSRP
> JK> packets (the switch has dual MSFCs).
> 
> JK> The firewall is indeed using the switch as the
> next
> JK> hop towards the internal network.  
> 
> JK> -----BEGIN PGP SIGNED MESSAGE-----
> JK> Hash: SHA1
> 
> JK> Jim:
> 
> JK> sh int vlan101 should give you in/out counters
> no
> JK> matter.. If you are not seeing any information
> then
> JK> there is something wrong w/where you are
> looking. Is
> JK> the fw using that address as a next-hop?
> 
> ==DMT>>
> 
> JK> - ----SIGNAURE-------
> JK> Douglas M. Todd, Jr.
> JK> Network Engineering
> JK> Partners Health Care
> JK> Building 149
> JK> 149 13 Street
> JK> Charlestown, MA 02129-200
> JK> Tel: 617.726.1403
> JK> Email: dtodd@partners.org
> JK> -
> JK>
>
--------------------------------------------------------------------
> JK> PGP Finger Print: 9429 CAE3 B2D1 C2E1 DFBC  E7A6
> E90A
> JK> 9BE5 C7B6 47BC Key available via email. Verisign
> S/N:
> JK> 3ff65cdf58b9dceda004baeed49e16cf
> JK>
>
https://digitalid.verisign.com/services/client/index.html
> 
> >> -----Original Message-----
> >> From: cisco-nsp-bounces@puck.nether.net 
> >> [mailto:cisco-nsp-bounces@puck.nether.net]On
> Behalf
> JK> Of James Kilton
> >> Sent: Monday, December 16, 2002 9:01 PM
> >> To: cisco-nsp@puck.nether.net
> >> Subject: [nsp] Cat6509 MSFC1 interface stats.
> >> 
> >> 
> >> I'm trying to collect traffic statistics for some
> JK> VLAN interfaces on a 
> >> C6509.  A lot of the numbers I'm getting seem to
> be
> JK> inaccurate.  For 
> >> example, there's one interface (VLAN 101) that
> only
> JK> has a firewall
> >> connected to it -- it's the corporate firewall
> that
> >> all employee internet traffic goes though.  When
> a
> JK> do
> >> a 'show int vlan 101', there's a good deal of
> output
> >> traffic, but virtually no input traffic. This is
> >> counter-intuitive, as most internet traffic
> should
> JK> be
> >> inbound.
> >> 
> >> Is there anything that could cause these counters
> to
> >> be inaccurate, other than a buggy IOS release? 
> I'm
> >> using CEF on the MSFC, not MLS, so I'm at a loss
> JK> here.
> >> 
> >> Thanks.
> >> 
> >>
> __________________________________________________
> >> Do you Yahoo!?
> >> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> JK> now. 
> >> http://mailplus.yahoo.com 
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> 
> >> http://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at
> JK> http://puck.nether.net/pipermail/cisco-nsp/
> 
> JK> -----BEGIN PGP SIGNATURE-----
> JK> Version: PGP 7.0
> 
> JK>
>
iQA/AwUBPf+RBQgiZycqTvq3EQKN3ACfTbcVA9zKbC3EmUweTHy3bHmj5RQAoL4D
> JK> jAXkz3sSSNpyNJOC3UM78IG7
> JK> =9dmh
> JK> -----END PGP SIGNATURE-----
> 
> JK> _______________________________________________
> JK> cisco-nsp mailing list 
> cisco-nsp@puck.nether.net
> JK>
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> JK> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
> JK>
> __________________________________________________
> JK> Do you Yahoo!?
> JK> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> JK> http://mailplus.yahoo.com
> JK> _______________________________________________
> JK> cisco-nsp mailing list 
> cisco-nsp@puck.nether.net
> JK>
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> JK> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> -- 
> With best regards,
> ________________________________________
> Dmitry Safronov
> Zenon N.S.P.
> Tel. +7(095) 956-4035, +7(812) 326-4468
> Fax. +7(095) 251-5702
> 
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

More information about the cisco-nsp mailing list