Hi,
Jiri Prochazka wrote:
Hi to everyone,
we use netflow for traffic accounting and recently I've found weird
issue on some flows exported from one of our 6500(SXI) equipped with
VS-S720-10G-3CXL supervisor and a few WS-X6708-3CXL cards.
Even if a global mask for IPv4 is set to 'interface-destination-source'
(no protocol, no port information) there is a lot of flows, which seem
to use interface-full mask.
All of these 'detailed' flows are pointing to a destination, which is
not in a routing table of corresponding switch (which has full bgp feed).
Most of them do have a destination to some private address space.
2011-10-24 01:24:48.000 0.000 TCP x.x.x.x:2562 ->
100.15.123.115:445 1 48 1
2011-10-24 01:25:43.796 2.724 TCP x.x.x.x:80 ->
192.168.0.3:60668 4 160 1
2011-10-24 01:24:46.032 0.000 TCP x.x.x.x:2481 ->
19.115.10.123:445 1 48 1
2011-10-24 01:25:46.052 0.000 TCP x.x.x.x:46898 ->
10.13.105.150:25 1 40 1
2011-10-24 01:25:46.244 0.000 TCP x.x.x.x:80 ->
192.168.98.5:2154 1 40 1
2011-10-24 01:25:46.284 0.000 TCP x.x.x.x:80 ->
192.168.117.10:2672 1 40 1
2011-10-24 01:25:46.292 0.000 TCP x.x.x.x:80 ->
192.168.0.13:56033 1 40 1
2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 ->
10.52.5.7:1337 1 40 1
2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 ->
10.52.5.7:1339 1 40 1
2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 ->
10.52.5.7:1338 1 40 1
2011-10-24 01:25:46.312 0.000 TCP x.x.x.x:80 ->
10.52.5.7:1341 1 40 1
2011-10-24 01:25:46.412 0.000 TCP x.x.x.x:80 ->
192.168.25.85:4168 1 40 1
I assume these flows are processed by MSFC3, instead of PFC.
Now it's only around 100 of such flows per second, thus not making any
significant load, but I can imagine someone sending a huge amount of
these flows, which could overload route-processor instantly..
Is there any way to force MSFC not to produce flows for software
switched traffic?
I'm not sure there is a way to disable MSFC netflow export separately.
Or should I ignore it and consider it at harmless?
You could set 'no ip unreachables' on interfaces where you don't want
incoming traffic with unreachable destinations to be processed by MSFC3.
Thank you,
Jiri Prochazka
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
