[nsp] Netflow questions - flow expiry

Ian Cox icox at cisco.com
Tue Aug 19 07:57:17 EDT 2003 

At 12:07 PM 8/14/2003 -0700, Steve Francis wrote:
>So I just noticed that I am vastly exceeding the 32K suggested number of 
>MLS entries on a Cat6K with Sup2/PFC2/MSFC2.
>This gives rise to a few questions:
>Per the docs:
>
>Flow entries in the MLS cache expire and are flushed from the MLS cache 
>when one of the following conditions occurs:
>- The transport protocol indicates that the connection is completed.
>- Traffic inactivity exceeds 15 seconds.
>
>Given I have mls flow ip destination-source, this means that the router is 
>not looking at the transport protocol, so it seems the first statement 
>does not apply. Can anyone confirm that with a flow mask of FULL, the mls 
>netflow entry is purged once the TCP FIN flags go by?
>Otherwise I guess I get to play with the aging timers...

The hardware netflow table does not use the tcp flags as a basis to age 
flows. Inactivity time and/or number of packets in a particular interval 
(fast aging) are used. Turn on fast aging on the system is the best option. 
If you have not already done change the normal aging down to 32 seconds, 
that is the minimum value.


>Also, what is the effect of exceeding the 32K limit? "If the number of MLS 
>entries exceeds 32K, only adjacency statistics might be available for some 
>flows." What does that mean?

The netflow table is comprised of 8 pages of 16k entries each. A hash 
function is used to place entries into the table and the flow mask 
determines what bits in the IP header / and/or TCP/UDP header are used as 
input into the hash function. The table is 128k entries in total, with a 
99.99% probability with normal traffic 32k entries will fit into the table 
for Sup1A, Sup2. (Sup720 uses a different algorithm that is much more 
effective and can achieve 90k).

Exceeding 32k entries on Sup1A, Sup2 just means there is a higher 
probability a flow will not fit into the hardware table. You can check the 
number of packets that statistics are not being recorded for in images 
higher than 12.1(13)E8 or 12.1(19)E1 via:
   remote command switch show earl statis | inc NF_FULL


Ian

>Thanks
>
>
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list