06-16-2015 10:51 AM - edited 03-08-2019 12:34 AM
hi,
I am having an issue when configuring a netflow command on 6500 switch. As soon as I enter the below command CPU goes up. Can anyone tell me what could be the issue?
ip flow ingress layer2-switched vlan 70
I also see below message in the log after the above command is entered.
%FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan70 have conflicting flowmask requirements, traffic may be switched in software
%FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL: Flowmask request for the flow based feature NAT for protocol IPv4 is unsuccessful, hardware acceleration may be disabled for the feature
This is the interface vlan config
interface Vlan70
ip vrf forwarding ABC
ip address 10.26.47.195 255.255.255.240
ip nat inside
06-16-2015 05:13 PM
The meaning of the error is the following:
%FM-2-FLOWMASK_CONFLICT: Features configured on interface [chars] have conflicting
flowmask requirements, traffic may be switched in software
The configured features for this interface have a flowmask conflict. The traffic on this
interface and the interfaces sharing the TCAM label with this interface may not comply
with the features under this condition. The traffic on these interfaces will be sent to
software under this condition.
Recommended Action: Redefine and reapply or deconfigure one or more features to avoid the
conflict.
Please check If you have "mls flow ip interface-full" is configured.If
yes,it should not be
configured, since this command is referring to the flow mask of NDE.
Basically you are trying to configure NDE to use the same flow mask that
NAT requires, thus preventing NAT to use it.
This is for sure one cause of that errors. You should remove that
command from the configuration and try again to set up the configuration.
HTH
Regards
Inayath
09-14-2016 01:54 PM
That is indeed the correct assessment of the error.
In my case, I had NAT enabled on the SVI and with the "mls flow ip interface-full" command enabled, I got the error described above, with the CPU utilization shooting way up;
A few verification commands confirmed the issue:
#show fm fie flowmask
Primary Flowmasks registered by Features
----------------------------+------------------------+---------------------
Feature Flowmask Flowmask Status
----------------------------+------------------------+---------------------
IP_ACCESS_INGRESS Intf Full Flow Disabled/Unused
IP_ACCESS_EGRESS Intf Full Flow Disabled/Unused
NAT_INGRESS Intf Full Flow Enabled
NAT_EGRESS Intf Full Flow Disabled/Unused
TCP_INTERCEPT Full Flow Least Disabled/Unused
IPV6_RACL_INGRESS Intf Full Flow Disabled/Unused
IPV6_RACL_EGRESS Intf Full Flow Disabled/Unused
INSPECT Full Flow Disabled/Unused
WCCP_INGRESS Intf Full Flow Disabled/Unused
WCCP_EGRESS Intf Full Flow Disabled/Unused
SLB Full Flow Least Disabled/Unused
FM_SVC_ACCLRT Intf Full Flow Disabled/Unused
IPV6_COPY_INGRESS Src only Disabled/Unused
Changing the flow-mask to a lesser one resolved the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide