[nsp] Netflow questions - flow expiry

Ian Cox icox at cisco.com
Wed Aug 20 06:21:27 EDT 2003

At 09:40 AM 8/19/2003 -0700, Steve Francis wrote:
>Thanks, that was a very helpful answer.
>So the documentation is just totally incorrect when if says that the MLS 
>entry will be flushed when "The transport protocol indicates that the 
>connection is completed", or is that just omitting that it only applies to 
>flows entries to the router itself?

The hardware table entries are aged based on timers expiring. The result of 
the search of the table returns all packets that have not seen any packets 
in a particular time interval or have not seen more than X packets in a 
time interval. It also returns flows with the rst/fin bit set. Sorry for 
the confusion below.

Technically the flow is not flushed when the system sees the fin/rst bit 
for a flow in the hardware netflow table. The flow gets removed when the 
aging timer expires, and the next search is performed.


>Ian Cox wrote:
>>At 12:07 PM 8/14/2003 -0700, Steve Francis wrote:
>>>So I just noticed that I am vastly exceeding the 32K suggested number of 
>>>MLS entries on a Cat6K with Sup2/PFC2/MSFC2.
>>>This gives rise to a few questions:
>>>Per the docs:
>>>Flow entries in the MLS cache expire and are flushed from the MLS cache 
>>>when one of the following conditions occurs:
>>>- The transport protocol indicates that the connection is completed.
>>>- Traffic inactivity exceeds 15 seconds.
>>>Given I have mls flow ip destination-source, this means that the router 
>>>is not looking at the transport protocol, so it seems the first 
>>>statement does not apply. Can anyone confirm that with a flow mask of 
>>>FULL, the mls netflow entry is purged once the TCP FIN flags go by?
>>>Otherwise I guess I get to play with the aging timers...
>>The hardware netflow table does not use the tcp flags as a basis to age 
>>flows. Inactivity time and/or number of packets in a particular interval 
>>(fast aging) are used. Turn on fast aging on the system is the best 
>>option. If you have not already done change the normal aging down to 32 
>>seconds, that is the minimum value.
>>>Also, what is the effect of exceeding the 32K limit? "If the number of 
>>>MLS entries exceeds 32K, only adjacency statistics might be available 
>>>for some flows." What does that mean?
>>The netflow table is comprised of 8 pages of 16k entries each. A hash 
>>function is used to place entries into the table and the flow mask 
>>determines what bits in the IP header / and/or TCP/UDP header are used as 
>>input into the hash function. The table is 128k entries in total, with a 
>>99.99% probability with normal traffic 32k entries will fit into the 
>>table for Sup1A, Sup2. (Sup720 uses a different algorithm that is much 
>>more effective and can achieve 90k).
>>Exceeding 32k entries on Sup1A, Sup2 just means there is a higher 
>>probability a flow will not fit into the hardware table. You can check 
>>the number of packets that statistics are not being recorded for in 
>>images higher than 12.1(13)E8 or 12.1(19)E1 via:
>>   remote command switch show earl statis | inc NF_FULL
>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list