[c-nsp] Multiple flow-masks

Robert Williams Robert at CustodianDC.com
Mon Dec 10 04:48:24 EST 2012 

Hi Andras,

Thanks for that – very strange as I do see different behaviour, specifically it works 100% fine with IPv4 NDE and my policy enabled.

What IOS are you running?

I’ve used that command and confirmed that I don’t see any conflicts unless the command mls flow ipv6 full is enabled.

mls ipv6 acl compress address unicast
mls netflow interface
mls flow ip interface-destination-source
mls nde sender
mls qos

My policy is using:
 police flow mask dest-only 200000000 512000 conform-action transmit exceed-action drop

And the interface is:
 ip access-group 121 in
 no ip redirects
 no ip proxy-arp
 speed nonegotiate
 ipv6 enable
 ipv6 nd ra suppress
 no ipv6 redirects
 arp timeout 300
 spanning-tree bpdufilter enable
 service-policy input Inbound-Transit

Other info:
# sh fm fie int gi3/16
Interface Gi3/16:
Feature interaction state created: Yes
 Flowmask conflict status for protocol IP : FIE_FLOWMASK_STATUS_SUCCESS
 Flowmask conflict status for protocol OTHER : FIE_FLOWMASK_STATUS_SUCCESS
 Flowmask conflict status for protocol IPV6 : FIE_FLOWMASK_STATUS_SUCCESS
Interface Gi3/16 [Ingress]:
 Slot(s) using the protocol IP : 1
 FIE Result for protocol IP : FIE_SUCCESS_NO_CONFLICT
 Features Configured : RACL   - Protocol : IP
 FM Label when FIE was invoked : 23
 Current FM Label : 23
 Last Merge is for slot: 0
 Features in Bank2 = RACL
+-------------------------------------+
        Action Merge Table
+-------------------------------------+
   RACL         RSLT    R_RSLT  COL
+-------------------------------------+
   L2R          L2R     P       0
   SB           HB      P       0
   HB           HB      P       0
   L3D          L3D     L3D     0
   P            P       P       0
+-------------------------------------+
 num# of strategies tried : 1
 Description of merging strategy used:
  Serialized Banks: FALSE
  Bank1 Only Features: [empty]
  Bank2 Only Features: [empty]
  Banks Swappable: TRUE
 Merge Algorithm: ODM
  num# of merged VMRs in bank 1 = 0
  num# of free TCAM entries in Bank1 = 32652
  num# of merged VMRs in bank 2 = 12
  num# of free TCAM entries in Bank2 = 32732
 Slot(s) using the protocol OTHER : 1
 FIE Result for protocol OTHER : FIE_SUCCESS_NO_CONFLICT
 Features Configured : OTH_DEF   - Protocol : OTHER
 FM Label when FIE was invoked : 23
 Current FM Label : 23
 Last Merge is for slot: 0
 Features in Bank2 = OTH_DEF
+-------------------------------------+
        Action Merge Table
+-------------------------------------+
   OTH_DEF      RSLT    R_RSLT  COL
+-------------------------------------+
   SB           HB      P       0
   X            P       P       0
+-------------------------------------+
 num# of strategies tried : 1
 Description of merging strategy used:
  Serialized Banks: FALSE
  Bank1 Only Features: [empty]
  Bank2 Only Features: [empty]
  Banks Swappable: TRUE
 Merge Algorithm: ODM
  num# of merged VMRs in bank 1 = 0
  num# of free TCAM entries in Bank1 = 32682
  num# of merged VMRs in bank 2 = 1
  num# of free TCAM entries in Bank2 = 32741
 Slot(s) using the protocol IPV6 : 1
 FIE Result for protocol IPV6 : FIE_SUCCESS_NO_CONFLICT
 Features Configured : [empty] - Protocol : IPV6
 FM Label when FIE was invoked : 23
 Current FM Label : 23
 Last Merge is for slot: 0
 num# of strategies tried : 1
  num# of merged VMRs in bank 1 = 0
  num# of free TCAM entries in Bank1 = Unknown
  num# of merged VMRs in bank 2 = 1
  num# of free TCAM entries in Bank2 = Unknown
Interface Gi3/16 [Egress]:
 No Features Configured
No IP Guardian Feature Configured
No IPv6 Guardian Feature Configured
IP QoS Conflict resolution configured, QoS policy name: test-policy
IPv6 QoS Conflict resolution configured, QoS policy name: test-policy

#sh plat hard cap net
                 Flowmasks:   Mask#   Type        Features
                      IPv4:       0   reserved    none
                      IPv4:       1   Intf Src    Intf NDE L3 Feature
                      IPv4:       2   Dest onl    FM_QOS
                      IPv4:       3   reserved    none

                      IPv6:       0   reserved    none
                      IPv6:       1   Dest onl    FM_IPV6_QOS
                      IPv6:       2   Null
                      IPv6:       3   reserved    none

The policy is applied and working and I have netflow enabled globally (but disabled on that interface as suggested) and I’m using a destination mask on the policy.

To summarise, at this point I have:

IPv4:   NDE Flow export, Destination rate limiting
IPv6:   Destination rate limiting only

All is good in IPv4 land and the rate-limiting policy is working for IPv6 fine as well.

Then I issue: “mls flow ipv6 full” and get the error, even though “ip flow ingress” is disabled on that interface!

I still get the conflict message as soon as I enable global ipv6 flows.

Thoughts?

Robert Williams
Backline / Operations Team
Custodian DataCentre
tel: +44 (0)1622 230382
email: Robert at CustodianDC.com
http://www.custodiandc.com/disclaimer.txt

More information about the cisco-nsp mailing list