[c-nsp] Sup720 - flows processed by MSFC3

Sergey Nikitin oldnick at oldnick.ru
Mon Oct 24 05:27:42 EDT 2011 

Hi,

Jiri Prochazka wrote:
> Hi to everyone,
> 
> 
> we use netflow for traffic accounting and recently I've found weird 
> issue on some flows exported from one of our 6500(SXI) equipped with 
> VS-S720-10G-3CXL supervisor and a few WS-X6708-3CXL cards.
> 
> Even if a global mask for IPv4  is set to 'interface-destination-source' 
> (no protocol, no port information) there is a lot of flows, which seem 
> to use interface-full mask.
> 
> All of these 'detailed' flows are pointing to a destination, which is 
> not in a routing table of corresponding switch (which has full bgp feed).
> 
> Most of them do have a destination to some private address space.
> 
> 2011-10-24 01:24:48.000     0.000 TCP       x.x.x.x:2562  -> 
> 100.15.123.115:445          1       48     1
> 2011-10-24 01:25:43.796     2.724 TCP      x.x.x.x:80    -> 
> 192.168.0.3:60668        4      160     1
> 2011-10-24 01:24:46.032     0.000 TCP       x.x.x.x:2481  -> 
> 19.115.10.123:445          1       48     1
> 2011-10-24 01:25:46.052     0.000 TCP     x.x.x.x:46898 -> 
> 10.13.105.150:25           1       40     1
> 2011-10-24 01:25:46.244     0.000 TCP      x.x.x.x:80    -> 
> 192.168.98.5:2154         1       40     1
> 2011-10-24 01:25:46.284     0.000 TCP      x.x.x.x:80    -> 
> 192.168.117.10:2672         1       40     1
> 2011-10-24 01:25:46.292     0.000 TCP      x.x.x.x:80    -> 
> 192.168.0.13:56033        1       40     1
> 2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
> 10.52.5.7:1337         1       40     1
> 2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
> 10.52.5.7:1339         1       40     1
> 2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
> 10.52.5.7:1338         1       40     1
> 2011-10-24 01:25:46.312     0.000 TCP      x.x.x.x:80    -> 
> 10.52.5.7:1341         1       40     1
> 2011-10-24 01:25:46.412     0.000 TCP      x.x.x.x:80    -> 
> 192.168.25.85:4168         1       40     1
> 
> I assume these flows are processed by MSFC3, instead of PFC.
> 
> Now it's only around 100 of such flows per second, thus not making any 
> significant load, but I can imagine someone sending a huge amount of 
> these flows, which could overload route-processor instantly..
> 
> Is there any way to force MSFC not to produce flows for software 
> switched traffic?
I'm not sure there is a way to disable MSFC netflow export separately.

> 
> Or should I ignore it and consider it at harmless?
You could set 'no ip unreachables' on interfaces where you don't want 
incoming traffic with unreachable destinations to be processed by MSFC3.

> 
> 
> Thank you,
> 
> 
> Jiri Prochazka
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list