이슈 발생 장비 & 로그 :
cisco WS-C6509-E (R7000) processor (revision 1.2) with 458720K/65536K bytes of memory.
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.2(18)SXF15a, RELEASE SOFTWARE (fc1)
Dec 10 00:10:11.885 KST: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [92%]
Dec 10 00:10:19.293 KST: %EARL_NETFLOW-SP-STDBY-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [91%]
원인 분석 :
6509_E#show mls netflow ip count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 86222
The capacity for each policy feature card (PFC) NetFlow table (IPv4), for PFC3a and PFC3b, is 128,000 flows. For the PFC3bXL, the capacity is 256,000 flows.
출처: <http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml>
6509_E#show module
<생략>
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
5 Policy Feature Card 3 WS-F6K-PFC3B SALXXXXXXXX 2.3 Ok
5 MSFC3 Daughterboard WS-SUP720 SALXXXXXXXX 2.5 Ok
6 Policy Feature Card 3 WS-F6K-PFC3B SALXXXXXXXX 2.3 Ok
6 MSFC3 Daughterboard WS-SUP720 SALXXXXXXXX 2.5 Ok
6509_E#
PFC3B는 위 문서와 같이 128,000개를 지원함. 현재 사용중인 장비의 flow 수는 8만개정도...
SUP-720은 30초마다 netflow table을 확인하고 90%가 넘어가면 aggressive aging mode로 동작하게 된다. 하지만 30초 내로 netflow table이 100% 까지 도달해 버리면 더 이상 flow를 생성할 수 없게 된다. Table 이 100%가 되기 전에 확인이 되면 aggressive aging mode로 동작하기 때문에 어느정도 다행이지만 그렇지 않으면 100%가 차버리고 나면 더 이상 netflow 를 생성할 수가 없게 된다.
해결 방법 :
"No mls flow ip"
the *no mls flow ip" command.
Note: Generally, the "no mls flow ip" command does not affect packet forwarding because TCAM for packet forwarding and the TCAM for NetFlow accounting are separate.
|
mls flow To configure the flow mask for NDE, use the mls flow command in global configuration mode. To specify a null flow mask, use the no form of this command. To restore the default flow mask, use the default form of this command. mls flow {{ip | ipv6} {destination | destination-source | full | interface-destination-source | interface-full | source}} no mls flow {ip | ipv6} default mls flow {ip | ipv6} Syntax Description
Defaults The defaults are as follows: •For Cisco 7600 series routers that are configured with a Supervisor Engine 2, the default flow mask is destination. •For Cisco 7600 series routers that are configured with a Supervisor Engine 720, the default flow mask is null. •For IPv4, the default flow mask is null. •For IPv6, the default flow mask is null. Command Modes Global configuration Command History
Usage Guidelines This command collects statistics for the supervisor engine. In Cisco IOS Release 12.2(33)SRB and later, the interface-destination-source and interface-full flow masks are the only masks supported for IPv4 traffic. This change was made to accommodate the per-interface NetFlow feature. If other flow mask values are used, the router upgrades them as follows: •Source, destination, and destination-source flow masks are treated as interface-destination-source. •Full flow masks are treated as interface-full.
Note To ensure that the Optimized Edge Routing passive-monitoring feature can use NetFlow, you must change the IPv4 flow mask to interface-full.
Examples This example shows how to set the desired flow mask used to populate the hardware cache for IPv4 NetFlow Data Export: Router(config)# mls flow ip full Router(config)# Related Commands
출처: <http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html>
|
mls aging timer
Aging timer를 감소시켜서 이를 해결 할 수도 있다.
6509_E(config)#mls aging fast threshold 64 time 30
|
mls aging fast To configure the fast-aging time for unicast entries in the Layer 3 table, use the mls aging fast command in global configuration mode. To restore the MLS fast-aging time to the default settings, use the no form of this command. mls aging fast [{threshold packet-count} [{time seconds}]] mls aging fast [{time seconds} [{threshold packet-count}]] no mls aging fast Syntax Description
Defaults The defaults are as follows: •Fast aging is disabled. •If fast aging is enabled, the default packet-count value is 100 packets and the seconds default is 32 seconds. Command Modes Global configuration
Command History
Usage Guidelines This command has no effect when you configure sampled NetFlow. You must disable sampled NetFlow to allow this command to take effect. Examples This example shows how to configure the MLS fast-aging threshold: Router(config)# mls aging fast threshold 50 Router(config)# Related Commands
출처: <http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html> |
혹은 시스코에서는 아래와 같은 해결 방법도 있다. 하지만 "service internal" command는 undocumented command[hidden command] 로 알고 있는데 이 command가 시스템 전체에 어떤 영향을 주는 지는 확실하게 알 수가 없으므로 추천하는 방법은 아니다.
The other workaround would disable service intrenal in case if you have enabled, and remove mls flow ip interface-full in case if you do not need full flow.
Switch(config)#no service internal
Switch(config)#mls flow ip interface-full
