[c-nsp] 6500 not exporting layer 2 netflow data
Jeff Fitzwater
jfitz at Princeton.EDU
Wed Apr 30 13:32:02 EDT 2008
I did have it working on a sup-720-3B running 12.2(18)SXF but it made
the route processor run high since it is the processor that does the
exporting.
We now have sup-720-3CXLs running 12.2(33)SXH and have not tried NDE
yet because we use User Based Rate Limiting which conflicts with
NDE. The issue there is the TCAM flow mask conflict.
I did not have time to get the config posted but when I get a chance I
will.
Our first run also only produced routed flows but we finally got the
L2s working which smoked the flow collector and sporadically caused
90% spikes in CPU .
Jeff Fitzwater
OIT Network Systems
Princeton University
On Apr 30, 2008, at 12:48 PM, Andy Ellsworth wrote:
> Tassos Chatzithomaoglou wrote:
>> Andy, i recreated your scenario (on a 6509/SUP720-3BXL with SXF8) and
>> i had the same problem with you. Although L2 netflow entries were
>> created fine (~7 Gbps of traffic!), they weren't exported. Only 2
>> ping
>> flows (locally to the SVI ip address) were exported.
> Very nice! Thanks for the troubleshooting.
>> I found out that the number of packets and bytes for all flows was
>> always zero and the AdjPtr was always 0x0.
>> I don't know if that's normal behavior for L2 traffic or a bug.
> I'm guessing the 0 byte flows are a bug that they must have fixed in
> between SXF8 and SXF10, as I don't see that behavior in SXF10 (src/dst
> IP columns omitted):
>
> Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts
> Bytes Age LastSeen Attributes
> ----------------------------------------------------------------------------------------------------------
> udp :3332 :2300 -- :0x0 10516
> 630960 218 11:32:02 L2 - Dynamic
> tcp :3642 :443 -- :0x0 2077
> 144308 202 11:32:07 L2 - Dynamic
> udp :2724 :3508 -- :0x0 4477
> 268620 90 11:32:10 L2 - Dynamic
> tcp :3260 :29781 -- :0x0 2102
> 146792 154 11:32:09 L2 - Dynamic
> tcp :443 :2379 -- :0x0 241
> 16147 66 11:32:09 L2 - Dynamic
> tcp :443 :1802 -- :0x0 5
> 3772 10 11:32:03 L2 - Dynamic
> tcp :8080 :2268 -- :0x0 116
> 63579 62 11:31:08 L2 - Dynamic
> tcp :1033 :1494 -- :0x0 423
> 26667 82 11:32:10 L2 - Dynamic
> tcp :1041 :1494 -- :0x0 1022
> 66913 154 11:32:09 L2 - Dynamic
>
> Out of curiosity, what is the significance of the AdjPtr value? I've
> never seen a non-zero value in either bridged or routed flows on
> either
> of my 6500s.
>> Then i also found CSCsg47044 (fixed in 12.2(18)SXF9) :
> If you believe the bug notes, in theory that should have been fixed by
> SXF10...regardless, in my case, all of the netflow config was done a
> very long time after the SVIs were built and IPs assigned. On a whim,
> though, I removed and reapplied the config in the order they specified
> for one of my VLANs of interest, and I didn't have any luck either.
>> I also found out that the wrong failed counter (ICAM instead of TCAM)
>> was increasing:
> They must have fixed that by SXF10, too, as my output is a bit
> different:
>
> Netflow Resources
> TCAM utilization: Module Created Failed
> %Used
> 5 3947
> 0 1%
> 6 4027
> 0 1%
> ICAM utilization: Module Created Failed
> %Used
> 5 0
> 0 0%
> 6 0
> 0 0%
>
>> I guess SXF is too buggy on netflow.... I haven't tried SXF13 or SXH
>> though.
> Someone dropped me a note off-list saying that export of bridged flows
> worked fine when they had a Sup2 in hybrid mode, but when moving to a
> Sup720 in native mode, only routed flows were exported.
>
> Now I'm wondering if *anyone* has successfully seen bridged flows
> exported from a Sup720, on any IOS version. This seems like the sort
> of
> problem that could fly under the radar, as I suspect the majority of
> folks with Sup720s are more interested in routed flows than bridged
> flows.
>
> -Andy
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list