[c-nsp] Sup720 - flows processed by MSFC3

Jiri Prochazka jiri.prochazka at superhosting.cz
Sun Oct 23 20:20:21 EDT 2011 

Hi to everyone,


we use netflow for traffic accounting and recently I've found weird 
issue on some flows exported from one of our 6500(SXI) equipped with 
VS-S720-10G-3CXL supervisor and a few WS-X6708-3CXL cards.

Even if a global mask for IPv4  is set to 'interface-destination-source' 
(no protocol, no port information) there is a lot of flows, which seem 
to use interface-full mask.

All of these 'detailed' flows are pointing to a destination, which is 
not in a routing table of corresponding switch (which has full bgp feed).

Most of them do have a destination to some private address space.

2011-10-24 01:24:48.000     0.000 TCP       x.x.x.x:2562  -> 
100.15.123.115:445          1       48     1
2011-10-24 01:25:43.796     2.724 TCP      x.x.x.x:80    -> 
192.168.0.3:60668        4      160     1
2011-10-24 01:24:46.032     0.000 TCP       x.x.x.x:2481  -> 
19.115.10.123:445          1       48     1
2011-10-24 01:25:46.052     0.000 TCP     x.x.x.x:46898 -> 
10.13.105.150:25           1       40     1
2011-10-24 01:25:46.244     0.000 TCP      x.x.x.x:80    -> 
192.168.98.5:2154         1       40     1
2011-10-24 01:25:46.284     0.000 TCP      x.x.x.x:80    -> 
192.168.117.10:2672         1       40     1
2011-10-24 01:25:46.292     0.000 TCP      x.x.x.x:80    -> 
192.168.0.13:56033        1       40     1
2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
10.52.5.7:1337         1       40     1
2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
10.52.5.7:1339         1       40     1
2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
10.52.5.7:1338         1       40     1
2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
10.52.5.7:1341         1       40     1
2011-10-24 01:25:46.412     0.000 TCP      x.x.x.x:80    -> 
192.168.25.85:4168         1       40     1

I assume these flows are processed by MSFC3, instead of PFC.

Now it's only around 100 of such flows per second, thus not making any 
significant load, but I can imagine someone sending a huge amount of 
these flows, which could overload route-processor instantly..

Is there any way to force MSFC not to produce flows for software 
switched traffic?

Or should I ignore it and consider it at harmless?


Thank you,


Jiri Prochazka

More information about the cisco-nsp mailing list