[c-nsp] 6500 Sup2 Flow sampling differences between 12.1E1 & SXF train

Phil Bedard philxor at gmail.com
Thu Dec 14 10:27:59 EST 2006 

When we upgraded some time ago to the SXF train of software we  
noticed the number of reported flows using
sampling on our 6500/7600 SUP2s dropped off.

Doing some testing in the last couple days there is definitely a  
difference in what gets exported between
the two versions when using sampling.

We are using packet sampling, 1/512 packets, 8 second export  
interval.   My understanding from the docs is
that when using packet sampling, on export time each flow is divided  
by the packet rate (512 in our case)
and the number of bytes in the flow is also divided by that  
amount.    Every 8 seconds the MLS netflow cache is purged.

On the SXF train software, when a flow does not record 512 packets  
within 8 seconds, no flow data is exported for
that flow.  If I turn up the packet rate and go above 512 packets/8  
seconds, I get exported data of 1 packet and
the average packet size for that flow.   To me, this is the expected  
behaviour given the docs.

With the 12.1(22)E1 software running, it exports the flows that  
generate more than 512 packets/8 seconds regularly
as it should.   The thing is, it exports some flows that do not meet  
that criteria as well, but not all the time...

As an example I have a test running that generated 13 flows to  
various UDP ports.  Two of the flows generate packets
at a rate >512 packets/8 seconds.   This is the flow export data from  
SXF:

1214.09:54:41.571 1214.09:54:49.562 50    207.69.169.135  49738 0      
192.168.253.1   10001 17  0  1          144
1214.09:54:41.571 1214.09:54:49.562 50    207.69.169.135  49738 0      
192.168.253.1   10002 17  0  1          143

The other 11 flows do not get exported, I assume because EG: 400/512  
is going to be <1 and it gets dropped.

On the 12.1E version this is what I see:

1214.10:11:10.015 1214.10:11:17.984 50    207.69.169.135  65363 0      
192.168.253.1   10012 17  0  1          128
1214.10:11:10.015 1214.10:11:17.984 50    207.69.169.135  65363 0      
192.168.253.1   10008 17  0  1          128
1214.10:11:10.015 1214.10:11:17.984 50    207.69.169.135  65363 0      
192.168.253.1   10010 17  0  1          128
1214.10:11:10.015 1214.10:11:17.984 50    207.69.169.135  65363 0      
192.168.253.1   10004 17  0  1          528
1214.10:11:10.015 1214.10:11:17.984 50    207.69.169.135  65363 0      
192.168.253.1   10006 17  0  1          128
1214.10:11:09.990 1214.10:11:17.980 50    207.69.169.135  65363 0      
192.168.253.1   10001 17  0  2          144
1214.10:11:10.015 1214.10:11:17.984 50    207.69.169.135  65363 0      
192.168.253.1   10003 17  0  1          528
1214.10:11:09.990 1214.10:11:17.980 50    207.69.169.135  65363 0      
192.168.253.1   10002 17  0  2          144

The 10001/10002 (UDP ports) get reported every 8 seconds like they  
should, but also report 2 packets... However, at almost random  
intervals (16/24), etc. some of the other flows get exported as well.

Did some math change between the versions that is making this  
happen?   It seems almost as if there is an if statement that got  
changed that
rounds up in some instances so that packets get counted...

Phil

More information about the cisco-nsp mailing list