Netflow on SUP720-3BXL

Andy_B · March 15, 2009, 1:55am

I’m trying to run netflow on one of our Cisco core routers (SUP720-3BXL),
but I think I am hitting some limitations because of this:

%EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM
Utilization [99%]

The setup of netflow looks like this:

ip flow-cache entries 524288

mls aging fast time 5 threshold 32

mls aging long 300

mls aging normal 60

mls netflow usage notify 80 300

mls flow ip full

no mls flow ipv6

mls nde sender version 5

no mls verify ip checksum

no mls acl tcam share-global

ip flow-export source Loopback0

ip flow-export version 5 origin-as

ip flow-export destination <ip> <port>

Then I have this enabled on all border interfaces/vlans (peering / transit /
other core routers) that are of interest for my stats:

ip route-cache flow

Some more details about the problem:

#sh mls netflow table-contention detailed Earl in Module 5 Detailed Netflow
CAM (TCAM and ICAM) Utilization

Andy_B · March 15, 2009, 2:20am

yes ip cef, this is enabled:

  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is enabled
  IP CEF switching is enabled
  IP Flow switching turbo vector
  IP Flow CEF switching turbo vector

and so on...

Olof_Kasselstrand · March 15, 2009, 8:13am

Have a look at http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801b42bf.shtml#prob1a

// Olof

Nick_Hilliard3 · March 15, 2009, 9:23am

I�m trying to run netflow on one of our Cisco core routers (SUP720-3BXL),
but I think I am hitting some limitations because of this:

Sounds about right for the amount of traffic you're pushing through the box. The SUP720 is a very poor netflow platform.

There has been extensive discussion about this problem in cisco-nsp over the past several years, and this posting is probably more appropriate to that mailing list. But basically, there is too little netflow tcam on this card to deal with anything more than a couple of gigs of traffic. You can help things by setting the aging timer to be very aggressive, and by getting DFCs (although these are a rather expensive option). Sampling won't generally help, as the sampling is done in software, after the data has been collected.

More info on:

sup720 netflow +site:puck.nether.net/pipermail/cisco-nsp - Google Search

Nick

Jon_Lewis1 · March 15, 2009, 2:00pm

AFAIK, at that traffic level, you will have to do sampled netflow. Try
mls sampling time-based 64 [in global]
mls netflow sampling [in interface]

and see if that stops your TCAM utilization issues. You may have to sample even less flow data.

neilmcrae · March 16, 2009, 11:38am

This is, believe it or not, a feature of the device you are using.