[c-nsp] Sup720 - flows processed by MSFC3

Jiri Prochazka jiri.prochazka at superhosting.cz
Sat Nov 5 08:04:48 EDT 2011


Dne 24.10.2011 11:27, Sergey Nikitin napsal(a):
> Hi,
>
> Jiri Prochazka wrote:
>> Hi to everyone,
>>
>>
>> we use netflow for traffic accounting and recently I've found weird
>> issue on some flows exported from one of our 6500(SXI) equipped with
>> VS-S720-10G-3CXL supervisor and a few WS-X6708-3CXL cards.
>>
>> Even if a global mask for IPv4 is set to
>> 'interface-destination-source' (no protocol, no port information)
>> there is a lot of flows, which seem to use interface-full mask.
>>
>> All of these 'detailed' flows are pointing to a destination, which is
>> not in a routing table of corresponding switch (which has full bgp feed).
>>
>> Most of them do have a destination to some private address space.
>>
>> 2011-10-24 01:24:48.000 0.000 TCP x.x.x.x:2562 -> 100.15.123.115:445 1
>> 48 1
>> 2011-10-24 01:25:43.796 2.724 TCP x.x.x.x:80 -> 192.168.0.3:60668 4 160 1
>> 2011-10-24 01:24:46.032 0.000 TCP x.x.x.x:2481 -> 19.115.10.123:445 1
>> 48 1
>> 2011-10-24 01:25:46.052 0.000 TCP x.x.x.x:46898 -> 10.13.105.150:25 1
>> 40 1
>> 2011-10-24 01:25:46.244 0.000 TCP x.x.x.x:80 -> 192.168.98.5:2154 1 40 1
>> 2011-10-24 01:25:46.284 0.000 TCP x.x.x.x:80 -> 192.168.117.10:2672 1
>> 40 1
>> 2011-10-24 01:25:46.292 0.000 TCP x.x.x.x:80 -> 192.168.0.13:56033 1 40 1
>> 2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 -> 10.52.5.7:1337 1 40 1
>> 2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 -> 10.52.5.7:1339 1 40 1
>> 2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 -> 10.52.5.7:1338 1 40 1
>> 2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 -> 10.52.5.7:1341 1 40 1
>> 2011-10-24 01:25:46.412 0.000 TCP x.x.x.x:80 -> 192.168.25.85:4168 1 40 1
>>
>> I assume these flows are processed by MSFC3, instead of PFC.
>>
>> Now it's only around 100 of such flows per second, thus not making any
>> significant load, but I can imagine someone sending a huge amount of
>> these flows, which could overload route-processor instantly..
>>
>> Is there any way to force MSFC not to produce flows for software
>> switched traffic?
> I'm not sure there is a way to disable MSFC netflow export separately.
>
>>
>> Or should I ignore it and consider it at harmless?
> You could set 'no ip unreachables' on interfaces where you don't want
> incoming traffic with unreachable destinations to be processed by MSFC3.
>

'no ip unreachables' is set on all involved intrefaces. I don't think it 
has any impact on this.


What about routing 0.0.0.0 0.0.0.0 to null0? We don't use default routes 
against our upstreams and this would force all these 'invalid' streams 
be processed in hardware, right?




>>
>>
>> Thank you,
>>
>>
>> Jiri Prochazka
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




More information about the cisco-nsp mailing list