[c-nsp] Flowmask Config?

Jeff Fitzwater jfitz at Princeton.EDU
Tue Dec 11 10:06:28 EST 2007


I forgot to mention that in looking into other options I found doc  
that states that 6500 IOS 12.2(33)SXH supports per interface NDE.   
What that means is if you are running older version, then the command  
"MLS NETFLOW"  enables all interfaces by default at Layer 2 globally.   
The L3 command ( ip flow ingress which supersedes the command ip route- 
cache flow ) is only needed to get the L3 netflows that are not  
hardware switched, but in version (33) you can disable individual  
interfaces that may have another QOS function enabled, that way you  
get the NDE for everything except that interface.   I have tested it  
here and it does work.  I don' know all the other gotyas with  
12.2(33)SXH.


Jeff Fitzwater


On Dec 11, 2007, at 9:16 AM, Skeeve Stevens wrote:

> Damn that is harsh... hmmm.... I will look into other options for  
> this minor
> issue then... dammnit.
>
> Thanx Jeff.
>
> ...Skeeve
>
> -----Original Message-----
> From: Jeff Fitzwater [mailto:jfitz at Princeton.EDU]
> Sent: Tuesday, 11 December 2007 2:34 AM
> To: skeeve at skeeve.org
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Flowmask Config?
>
> I knew someone else out there would see this problem.
>
>     Skeeve the problem is the you can't run QOS and NDE
> concurrently.  Both NDE and QOS use the same TCAM hardware and
> therefor you can't have two different FLOWMASKS.  This rule applies to
> any QOS feature like UBRL User Based Rate Limiting which uses
> microflows.   Only one or the other will function correctly.
>     We have the same problem here because we have been using UBRL and
> now want to use NDE.  We have 720-3Bs which support multiple
> flowmasks, but they have only allocated two for the netflow TCAM and
> those two appear to be an exclusive function, where you can have two
> for UBRL ( like SRC and DST masks) or NDE (interface-full) not both.
>
> 	I hate to say it but if you look hard enough the doc states that QOS
>
> and NDE don't work together.
> 	
> 	Both are very important features and should work.   Princeton U. has
>
> been in touch with CISCO, but there seems to be no solution.
>
> Jeff Fitzwater
> OIT Network & Telecommunications Systems
> Princeton University
>
>
> On Dec 10, 2007, at 9:24 AM, Skeeve Stevens wrote:
>
>>
>> Hey guys,
>>
>> I am trying to setup NAT for a few machines on a private network  
>> which
>> enters a 7609 on a Ethernet interface.
>> When I put the NAT commands, this error appears in the logs, and the
>> NAT
>> does not work.
>>
>> Can someone point me in the right direction to figure out what is
>> going on?
>>
>> .Skeeve
>>
>> ===
>> Error Message
>> %FM_EARL7-4-MLS_FLOWMASK_CONFLICT : mls flowmask may not be honored  
>> on
>> interface [chars] due to flowmask conflict
>> Explanation    The configured MLS flow mask conflicts with other
>> features/QoS configuration. The traffic on this interface will be
>> sent to
>> software under this condition. NetFlow data export may not function
>> correctly for this interface under this condition.
>> Recommended Action    Remove the conflicting configuration and re-
>> configure
>> the MLS flowmask
>>
>>
>>
>> --
>> Skeeve Stevens, RHCE
>> skeeve at skeeve.org / www.skeeve.org
>> Cell +61 (0)414 753 383 / skype://skeeve
>>
>> eintellego - skeeve at eintellego.net - www.eintellego.net
>> --
>> I'm a groove licked love child king of the verse
>> Si vis pacem, para bellum
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list