[c-nsp] Multiple flow-masks

Robert Williams Robert at CustodianDC.com
Sat Dec 8 07:00:25 EST 2012 

Hi All,

I have an odd issue with a 6500/Sup-720-3bxl on which I need to do per-flow limiting (with a destination-only mask) along with standard Netflow/NDE export full-mask features.

I'm testing on a spare device with the same hardware (a 6516A-GBIC) and the test policy is:

policy-map test-policy
  class test-class
   police flow mask dest-only 100m 128000 conform-action transmit exceed-action drop
  class class-default

The interface config is:

interface GigabitEthernet3/16
 ip address x.x.x.x y.y.y.y
 ip access-group 121 in
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 speed nonegotiate
 ipv6 enable
 ipv6 nd ra suppress
 no ipv6 redirects
 arp timeout 300
 spanning-tree bpdufilter enable

The problem occurs when I issue the interface command:

 service-policy input test-policy

I get:

%FM-4-FLOWMASK_REDUCED: Features configured on interface <name> have conflicting flowmask requirements, some features may work in software


Now, before I attached the policy, a "show platform hardware capacity netflow" shows this:

                 Flowmasks:   Mask#   Type        Features
                      IPv4:       0   reserved    none
                      IPv4:       1   Intf Ful    FM_QOS Intf NDE L3 Feature
                      IPv4:       2   Null                                      <---- the gap
                      IPv4:       3   reserved    none

                      IPv6:       0   reserved    none
                      IPv6:       1   Intf Ful    FM_IPV6_GUARDIAN FM_IPV6_QOS
                      IPv6:       2   unused      none
                      IPv6:       3   reserved    none


Then after I've attached the policy, it shows this:

                 Flowmasks:   Mask#   Type        Features
                      IPv4:       0   reserved    none
                      IPv4:       1   Intf Ful    FM_QOS Intf NDE L3 Feature
                      IPv4:       2   Dest onl    FM_QOS                        <---- my new policy
                      IPv4:       3   reserved    none

                      IPv6:       0   reserved    none
                      IPv6:       1   Intf Ful    FM_IPV6_GUARDIAN FM_IPV6_QOS
                      IPv6:       2   unused      none
                      IPv6:       3   reserved    none


Now, from what I can see, this should not be causing an error as there was a vacant flow-mask slot before I added my policy. The policy was (correctly) inserted into this gap, thus, no conflicts?

Additional potentially relevant info is as follows:

#sh run | inc flow|nde|mls
ip flow-cache timeout inactive 60
ip flow-cache timeout active 1
mls ipv6 acl compress address unicast
mls netflow interface
mls flow ip interface-destination-source
mls flow ipv6 interface-destination-source
mls nde sender
mls qos
mls rate-limit multicast ipv4 fib-miss 1000 100
mls rate-limit multicast ipv4 connected 1000 100
mls rate-limit multicast ipv4 igmp 1000 100
mls rate-limit multicast ipv4 partial 1000 100
mls rate-limit unicast cef glean 1000 100
mls rate-limit unicast acl vacl-log 1000
mls rate-limit unicast ip rpf-failure 50 200
mls rate-limit unicast ip icmp redirect 1000 100
mls rate-limit unicast ip icmp unreachable no-route 50 200
mls rate-limit unicast ip icmp unreachable acl-drop 50 200
mls rate-limit unicast ip errors 50 200
mls rate-limit all ttl-failure 1000 100
mls rate-limit all mtu-failure 1000 100
mls cef error action reset
ip flow-export source GigabitEthernet1/2
ip flow-export version 9
ip flow-export destination x.x.x.x yyyy
ip flow-top-talkers

Any pointers appreciated!

Cheers,

Robert Williams
Backline / Operations Team
Custodian DataCentre
tel: +44 (0)1622 230382
email: Robert at CustodianDC.com
http://www.custodiandc.com/disclaimer.txt

More information about the cisco-nsp mailing list