how to turn off NETFLOW?

netternewbie · ‎04-23-2013

Hi all,

I see these errors on my 6500 router which acts as my server farm and has hundreds of servers connecting to it. I have just taken over these routers from another guy and think the errors may have been there for quiet awhile. I have another router which doen't seem to have these errors. Can you tell me how to turn off netflow? Will it cause any problems to my server farm? Is there a risk to the router if I disable something?

I ask this cause the server guys are having problems with certain servers. I am not sure if they are because of this or not. I really would like to clear the logs.

This seems to be how netflow is configured on it:

no mls acl tcam share-global

mls aging fast time 30 threshold 64

mls netflow interface

mls flow ip interface-full

mls nde sender version 5

mls cef error action freeze

: %EARL_NETFLOW-SPSTBY-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [92%]

%EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [90%]

Bilal Nawaz · ‎04-23-2013

Hello, If you want to turn netflow off you need to look for some commands that have been enabled on the 6500. Try looking for these:

ip flow ingress

ip flow egress

ip flow ingress layer2-switched vlan ##

ip mls netflow interface

mls flow ip interface-full

ip flow-export source

ip flow-export version #

ip flow-export destination x.x.x.x yyyy

You need to find 'flow' related commands and cancel them out with the 'no' command in front.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

netternewbie · ‎04-23-2013

Thanks Bilal Nawaz,

I did a show running | include netflow and got the following results. I am seen similar on the other router though and no errors in the logs.

ip flow-cache timeout active 1

mls netflow interface

mls flow ip interface-full

ip flow ingress

ip flow-export version 5

ip flow-export destination 172.16.10.5 2055

Bilal Nawaz · ‎04-23-2013

Hello, Your question was about disabling netflow. If you want to know more about the message you are getting please see this:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml?

%EARL_NETFLOW-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [[dec]%]

Problem

The switch reports this error message:

EARL_NETFLOW-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [[dec]%]

This example shows the console output that is displayed when this problem occurs:

Aug 24 12:30:53: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, 
TCAM Utilization [97%]
Aug 24 12:31:53: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, 
TCAM Utilization [97%]

Note: If you want to filter out this specific error message, be aware that all error messages with same severity level will be filtered. A specific log message cannot be filtered without affecting other logs under, which are under the same severity level.

Description

This message indicates that the NetFlow ternary content addressable memory (TCAM) is almost full. Aggressive aging will be temporarily enabled. If you change the NetFlow mask to FULL mode, TCAM for NetFlow can overflow because there are so many entries. Issue the show mls netflow ip count command in order to check this information.

The Supervisor Engine 720 checks how full the NetFlow table is every 30 seconds. The Supervisor Engine turns on aggressive aging when the table size reaches almost 90 percent. The idea behind aggressive aging is that the table is nearly full, so there are new active flows that cannot be created. Therefore, it makes sense to aggressively age-out the less active flows (or inactive flows) in the tablein order to make space for more active flows.

The capacity for each policy feature card (PFC) NetFlow table (IPv4), for PFC3a and PFC3b, is 128,000 flows. For the PFC3bXL, the capacity is 256,000 flows.

Workaround

In order to prevent this problem, disable the FULL NetFlow mode. Issue the no mls flow ip command.

Note: Generally, the no mls flow ip command does not affect packet forwarding because TCAM for packet forwarding and TCAM for NetFlow accounting are separate.

In order to recover from this issue, enable MLS fast aging. While you enable MLS fast aging time, initially set the value to 128 seconds. If the size of the MLS cache continues to grow over 32 K entries, decrease the setting until the cache size remaines less than 32 K. If the cache continues to grow over 32K entries, decrease the normal MLS aging time. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest multiple of 8 seconds.

Switch#configure terminal
Switch(config)#mls aging fast threshold 64 time 30

The other workaround would disable service intrenal in case if you have enabled, and remove mls flow ip interface-full in case if you do not need full flow.

Switch(config)#no service internal
Switch(config)#mls flow ip interface-full

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

InayathUlla Sharieff · ‎04-23-2013

Hi Netter,

Error message:

%EARL_NETFLOW-SPSTBY-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [92%]

%EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [90%]

Description :

This message indicates that the NetFlow ternary content addressable

memory (TCAM) is almost full. Aggressive aging will be temporarily

enabled. If you change the NetFlow mask to FULL mode, TCAM for NetFlow

can overflow because there are so many entries. Issue the show mls

netflow ip count command in order to check this information.

The Supervisor Engine 720 checks how full the NetFlow table is every 30

seconds. The Supervisor Engine turns on aggressive aging when the table

size reaches almost 90 percent. The idea behind aggressive aging is that

the table is nearly full, so there are new active flows that cannot be

created. Therefore, it makes sense to aggressively age-out the less

active flows (or inactive flows) in the table in order to make space for

more active flows.

The capacity for each policy feature card (PFC) NetFlow table (IPv4),

for PFC3a and PFC3b, is 128,000 flows. For the PFC3bXL, the capacity is

256,000 flows.

Workaround

In order to prevent this problem, disable the FULL NetFlow mode. Issue

the no mls flow ip command.

Note: Generally, the no mls flow ip command does not affect packet

forwarding because TCAM for packet forwarding and TCAM for NetFlow

accounting are separate.

In order to recover from this issue, enable MLS fast aging. While you

enable MLS fast aging time, initially set the value to 128 seconds. If

the size of the MLS cache continues to grow over 32 K entries, decrease

the setting until the cache size remaines less than 32 K. If the cache

continues to grow over 32K entries, decrease the normal MLS aging time.

Any aging-time value that is not a multiple of 8 seconds is adjusted to

the closest multiple of 8 seconds.

Switch#configure terminal

Switch(config)#mls aging fast threshold 64 time 30

The other workaround would disable service intrenal in case if you have

enabled, and remove mls flow ip interface-full in case if you do not

need full flow.

Switch(config)#no service internal

Switch(config)#mls flow ip interface-full

***********************************************************************

************************************

Frome me:

- So this will help with short lived flows by definition such as dns queries etc

Few more to add:

- adjust flow mask http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/netflow.html#wp1057334

Hope this helps,

Regards

Inayath