[c-nsp] 6500 not exporting layer 2 netflow data
Tassos Chatzithomaoglou
achatz at forthnet.gr
Wed Apr 30 11:56:21 EDT 2008
Andy, i recreated your scenario (on a 6509/SUP720-3BXL with SXF8) and i had the same problem with you.
Although L2 netflow entries were created fine (~7 Gbps of traffic!), they weren't exported.
Only 2 ping flows (locally to the SVI ip address) were exported.
6509#sh mls netflow ip count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 214269
6509#sh mls netflow usage
Netflow table usage notification enabled at 80% every 300 seconds
Netflow table utilization of module 1 is 99%
Netflow table utilization of module 6 is 85%
Netflow table utilization of module 7 is 87%
6509#sh ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.10.10.10 (12004)
Exporting using source IP address 20.20.20.20
Version 5 flow records
2 flows exported in 2 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
I found out that the number of packets and bytes for all flows was always zero and the AdjPtr was always 0x0.
I don't know if that's normal behavior for L2 traffic or a bug.
6509#sh mls netflow ip nowrap
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes Age LastSeen Attributes
------------------------------------------------------------------------------------------------------------------------------------------
x.x.x.x x.x.x.x udp :47399 :55525 -- :0x0 0 0 21 18:26:41 L2 - Dynamic
x.x.x.x x.x.x.x tcp :www :53913 -- :0x0 0 0 21 18:26:55 L2 - Dynamic
x.x.x.x x.x.x.x udp :28261 :54919 -- :0x0 0 0 21 18:26:41 L2 - Dynamic
x.x.x.x x.x.x.x udp :8937 :55555 -- :0x0 0 0 21 18:26:41 L2 - Dynamic
x.x.x.x x.x.x.x tcp :www :51256 -- :0x0 0 0 17 18:27:02 L2 - Dynamic
x.x.x.x x.x.x.x tcp :20258 :3655 -- :0x0 0 0 23 18:26:41 L2 - Dynamic
x.x.x.x x.x.x.x udp :2291 :63359 -- :0x0 0 0 11 18:26:51 L2 - Dynamic
x.x.x.x x.x.x.x tcp :1172 :55478 -- :0x0 0 0 17 18:27:01 L2 - Dynamic
Then i also found CSCsg47044 (fixed in 12.2(18)SXF9) :
==============================================================================
NDE is not exporting packets
Symptoms: NetFlow Data Export (NDE) may not export NetFlow entries for
bridged flow packets.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series switch
and Cisco 7600 series router that are configured with a Supervisor Engine 720
that runs Cisco IOS Release 12.2(18)SXF6. This symptom occurs when you enter
the ip flow ingress layer2-switched vlan vlan
id command before you have configured an IP address for the
specified VLAN ID. The symptom may also occur in Release 12.2SR.
Workaround: Enter the ip flow ingress layer2-switched
vlan vlan id command after you have configured
an IP address for the specified VLAN ID.
==============================================================================
I tried it but all i got was the following, while nothing changed:
Apr 30 18:39:57.672: DFC7: WARNING: Call to deprecated api l2_modify_one_entry on Multiple L2 Asic system.
Apr 30 18:39:57.672: DFC7: -Traceback= 206F6B8C 206FBCA4 206F0260 206F036C 2055937C 20555F94 20555DD4 20555BD4
I also found out that the wrong failed counter (ICAM instead of TCAM) was increasing:
6509#sh platform hardware capacity netflow
Netflow Resources
TCAM utilization: Module Created Failed %Used
1 262018 0 100%
6 226444 0 86%
7 262019 0 100%
ICAM utilization: Module Created Failed %Used
1 2 376626 1%
6 1 0 0%
7 3 595644 2%
I guess SXF is too buggy on netflow.... I haven't tried SXF13 or SXH though.
--
Tassos
Andy Ellsworth wrote on 29/4/2008 10:02 μμ:
> Tassos Chatzithomaoglou wrote:
>> Maybe add "mls nde sender version 5"? I don't know if that's causing
>> any problem, but from your previous output, you're using v7 for PFC
>> and v5 for MSFC.
>>
>> Also what's the output of "sh ip flow export"?
>>
>> As a last solution (although i'm almost sure it won't make any
>> difference), try replacing "ip route-cache flow" with "ip flow ingress".
> Good suggestions. I changed the PFC to use version 5, no change in
> symptoms (still no export of layer 2 flows).
>
> #sh run | inc mls nde
> mls nde sender version 5
>
> #sh ip flow export
> Flow export v5 is enabled for main cache
> Exporting flows to 10.100.253.210 (30002)
> Exporting using source interface Vlan253
> Version 5 flow records
> 60615 flows exported in 34266 udp datagrams
> 0 flows failed due to lack of export packet
> 29 export packets were sent up to process level
> 0 export packets were dropped due to no fib
> 0 export packets were dropped due to adjacency issues
> 0 export packets were dropped due to fragmentation failures
> 0 export packets were dropped due to encapsulation fixup failures
> 0 export packets were dropped enqueuing for the RP
> 0 export packets were dropped due to IPC rate limiting
>
> We have an NMS server that pings and connects to port 22 on the switch
> every 5 minutes, which is what generates the majority of the few flows
> that I do see exported from this box.
>
> Also tried the "ip flow ingress" suggestion on the vl201 interface, both
> with and without "ip route-cache flow" (they're not mutually exclusive
> in the config). No luck.
>
> -Andy
>
>
>
More information about the cisco-nsp
mailing list