[c-nsp] Multiple flow-masks
Tóth András
diosbejgli at gmail.com
Mon Dec 10 07:50:04 EST 2012
Robert,
I was trying on 12.2(33)SXJ2 but that shouldn't cause a difference. I think
you are not seeing the conflict because netflow (ip flow ingress) is not
enabled on your interface now.
The reason you start seeing a conflict as soon as you enable mls flow ipv6
is that IPv6 Netflow can only be enabled globally, not per-interface. If
you disable ipv6 on the interface by removing the 'ipv6 enable' command,
the conflict will be resolved.
With IPv4, you can disable NDE/Netflow on the interface level, so you can
avoid a conflict by using dest-only mask for QoS and disabling netflow on
that interface only. However as soon as you enable IPv6 netflow, it applies
globally and you'll get a conflict (which I believe will only affect IPv6
traffic) due to the fact that you use a QoS mask for microflow policer
other than 'full'.
The syslog message will not tell you if it was v4 or v6 causing the
conflict, but sh fm fie interface reveals it, example from my device:
Flowmask conflict status for protocol IP : FIE_FLOWMASK_STATUS_SUCCESS
Flowmask conflict status for protocol OTHER : FIE_FLOWMASK_STATUS_SUCCESS
Flowmask conflict status for protocol IPV6 : FIE_FLOWMASK_STATUS_FAIL
Best regards,
Andras
On Mon, Dec 10, 2012 at 10:48 AM, Robert Williams <Robert at custodiandc.com>wrote:
> Hi Andras,
>
> Thanks for that – very strange as I do see different behaviour,
> specifically it works 100% fine with IPv4 NDE and my policy enabled.
>
> What IOS are you running?
>
> I’ve used that command and confirmed that I don’t see any conflicts unless
> the command mls flow ipv6 full is enabled.
>
> mls ipv6 acl compress address unicast
> mls netflow interface
> mls flow ip interface-destination-source
> mls nde sender
> mls qos
>
> My policy is using:
> police flow mask dest-only 200000000 512000 conform-action transmit
> exceed-action drop
>
> And the interface is:
> ip access-group 121 in
> no ip redirects
> no ip proxy-arp
> speed nonegotiate
> ipv6 enable
> ipv6 nd ra suppress
> no ipv6 redirects
> arp timeout 300
> spanning-tree bpdufilter enable
> service-policy input Inbound-Transit
>
> Other info:
> # sh fm fie int gi3/16
> Interface Gi3/16:
> Feature interaction state created: Yes
> Flowmask conflict status for protocol IP : FIE_FLOWMASK_STATUS_SUCCESS
> Flowmask conflict status for protocol OTHER : FIE_FLOWMASK_STATUS_SUCCESS
> Flowmask conflict status for protocol IPV6 : FIE_FLOWMASK_STATUS_SUCCESS
> Interface Gi3/16 [Ingress]:
> Slot(s) using the protocol IP : 1
> FIE Result for protocol IP : FIE_SUCCESS_NO_CONFLICT
> Features Configured : RACL - Protocol : IP
> FM Label when FIE was invoked : 23
> Current FM Label : 23
> Last Merge is for slot: 0
> Features in Bank2 = RACL
> +-------------------------------------+
> Action Merge Table
> +-------------------------------------+
> RACL RSLT R_RSLT COL
> +-------------------------------------+
> L2R L2R P 0
> SB HB P 0
> HB HB P 0
> L3D L3D L3D 0
> P P P 0
> +-------------------------------------+
> num# of strategies tried : 1
> Description of merging strategy used:
> Serialized Banks: FALSE
> Bank1 Only Features: [empty]
> Bank2 Only Features: [empty]
> Banks Swappable: TRUE
> Merge Algorithm: ODM
> num# of merged VMRs in bank 1 = 0
> num# of free TCAM entries in Bank1 = 32652
> num# of merged VMRs in bank 2 = 12
> num# of free TCAM entries in Bank2 = 32732
> Slot(s) using the protocol OTHER : 1
> FIE Result for protocol OTHER : FIE_SUCCESS_NO_CONFLICT
> Features Configured : OTH_DEF - Protocol : OTHER
> FM Label when FIE was invoked : 23
> Current FM Label : 23
> Last Merge is for slot: 0
> Features in Bank2 = OTH_DEF
> +-------------------------------------+
> Action Merge Table
> +-------------------------------------+
> OTH_DEF RSLT R_RSLT COL
> +-------------------------------------+
> SB HB P 0
> X P P 0
> +-------------------------------------+
> num# of strategies tried : 1
> Description of merging strategy used:
> Serialized Banks: FALSE
> Bank1 Only Features: [empty]
> Bank2 Only Features: [empty]
> Banks Swappable: TRUE
> Merge Algorithm: ODM
> num# of merged VMRs in bank 1 = 0
> num# of free TCAM entries in Bank1 = 32682
> num# of merged VMRs in bank 2 = 1
> num# of free TCAM entries in Bank2 = 32741
> Slot(s) using the protocol IPV6 : 1
> FIE Result for protocol IPV6 : FIE_SUCCESS_NO_CONFLICT
> Features Configured : [empty] - Protocol : IPV6
> FM Label when FIE was invoked : 23
> Current FM Label : 23
> Last Merge is for slot: 0
> num# of strategies tried : 1
> num# of merged VMRs in bank 1 = 0
> num# of free TCAM entries in Bank1 = Unknown
> num# of merged VMRs in bank 2 = 1
> num# of free TCAM entries in Bank2 = Unknown
> Interface Gi3/16 [Egress]:
> No Features Configured
> No IP Guardian Feature Configured
> No IPv6 Guardian Feature Configured
> IP QoS Conflict resolution configured, QoS policy name: test-policy
> IPv6 QoS Conflict resolution configured, QoS policy name: test-policy
>
>
> #sh plat hard cap net
> Flowmasks: Mask# Type Features
> IPv4: 0 reserved none
> IPv4: 1 Intf Src Intf NDE L3 Feature
> IPv4: 2 Dest onl FM_QOS
> IPv4: 3 reserved none
>
> IPv6: 0 reserved none
> IPv6: 1 Dest onl FM_IPV6_QOS
> IPv6: 2 Null
> IPv6: 3 reserved none
>
> The policy is applied and working and I have netflow enabled globally (but
> disabled on that interface as suggested) and I’m using a destination mask
> on the policy.
>
> To summarise, at this point I have:
>
> IPv4: NDE Flow export, Destination rate limiting
> IPv6: Destination rate limiting only
>
> All is good in IPv4 land and the rate-limiting policy is working for IPv6
> fine as well.
>
> Then I issue: “mls flow ipv6 full” and get the error, even though “ip flow
> ingress” is disabled on that interface!
>
> I still get the conflict message as soon as I enable global ipv6 flows.
>
> Thoughts?
>
> *Robert Williams*
> Backline / Operations Team
> Custodian DataCentre
> tel: +44 (0)1622 230382
> email: Robert at CustodianDC.com
> http://www.custodiandc.com/disclaimer.txt
>
>
More information about the cisco-nsp
mailing list