Nexus 7k, F248XP-25, DHCP Relay and Netflow Problem

Richard Strnad · ‎04-23-2013

Hi everyone,

We switched the core devices from two cat 6500 to two nexus 7k and the most things work great but we got a strange problem with dhcp in combination with netflow. The Nexus 7k has a Sup2 and 3 x Fabric 2 Modules.

Mod Ports Module-Type Model Status

--- ----- ----------------------------------- ------------------ ----------

1 0 Supervisor module-2 N7K-SUP2 active *

3 48 1/10 Gbps Ethernet Module N7K-F248XP-25 ok

4 48 1/10 Gbps Ethernet Module N7K-F248XP-25 ok

Xbar Ports Module-Type Model Status

--- ----- ----------------------------------- ------------------ ----------

1 0 Fabric Module 2 N7K-C7009-FAB-2 ok

2 0 Fabric Module 2 N7K-C7009-FAB-2 ok

3 0 Fabric Module 2 N7K-C7009-FAB-2 ok

We currently use 2 VDCs on each of the two 7k, one is Layer3 only (Core) and the other is the Layer3/Layer2 boundry (Distribution), on the Core Layer3 only VDC Netflow works so far that it exports the flows, on the Distribution Layer3/Layer2 VDC we didnt manage that flows get exported.

Configuration Core:

flow exporter CA-NETFLOWCOLLECTOR

destination x.x.x.x

source loopback0

version 9

sampler PACKETWOLF

mode 1 out-of 100

flow monitor MONITOR-IPSS-TRAFFIC

record netflow-original

exporter CA-NETFLOWCOLLECTOR

interface Ethernet3/2

ip flow monitor MONITOR-IPSS-TRAFFIC input sampler PACKETWOLF

Flow exporter CA-NETFLOWCOLLECTOR:

Description: export netflow to CA netflow appliance

Destination: x.x.x.x

VRF: default (1)

Source Interface loopback0 (x.x.x.x)

Export Version 9

Sequence number 1351870

Exporter Statistics

Number of Flow Records Exported 0

Number of Templates Exported 0

Number of Export Packets Sent 0

Number of Export Bytes Sent 0

Number of Destination Unreachable Events 0

Number of No Buffer Events 0

Number of Packets Dropped (No Route to Host) 0

Number of Packets Dropped (other) 0

Number of Packets Dropped (LC to RP Error) 0

Number of Packets Dropped (Output Drops) 0

Time statistics were last cleared: Tue Apr 23 09:37:08 2013

Flow exporter CA-NETFLOWCOLLECTOR:

Description: export netflow to CA netflow appliance

Destination: x.x.x.x

VRF: default (1)

Source Interface loopback0 (x.x.x.x)

Export Version 9

Sequence number 1351870

Exporter Statistics

Number of Flow Records Exported 9

Number of Templates Exported 1

Number of Export Packets Sent 2

Number of Export Bytes Sent 588

Number of Destination Unreachable Events 0

Number of No Buffer Events 0

Number of Packets Dropped (No Route to Host) 0

Number of Packets Dropped (other) 0

Number of Packets Dropped (LC to RP Error) 0

Number of Packets Dropped (Output Drops) 0

Time statistics were last cleared: Tue Apr 23 09:37:08 2013

# show system internal access-list interface ethernet 3/2

slot 3

=======

Policies in ingress direction:

Policy type Policy Id Policy name

------------------------------------------------------------

Netflow Sampler 80000802

Netflow profiles in ingress direction:

TCAM Class Profile Flow Monitor

---------------------------------------

IPv4 2 MONITOR-IPSS-TRAFFIC

INSTANCE 0x0

---------------

Tcam 1 resource usage:

----------------------

Label_b = 0x201

Bank 1

------

IPv4 Class

Policies: Netflow Sampler() [Merged]

Netflow profile: 0

Netflow deny profile: 0

1 tcam entries

0 l4 protocol cam entries

0 mac etype/proto cam entries

0 lous

0 tcp flags table entries

0 adjacency entries

No egress policies

Netflow profiles in egress direction:

TCAM Class Profile Flow Monitor

---------------------------------------

slot 4

=======

ERROR: no ACL related hardware resources for vdc [2], interface [Ethernet3/2]

Configuration Dist:

flow exporter CA-NETFLOWCOLLECTOR

destination x.x.x.x

source loopback0

version 9

sampler PACKETWOLF

mode 1 out-of 100

flow monitor MONITOR-INTERVLAN-TRAFFIC

record netflow-original

exporter CA-NETFLOWCOLLECTOR

interface Vlan241

ip flow monitor MONITOR-INTERVLAN-TRAFFIC input sampler PACKETWOLF

.

ip dhcp relay address x.x.x.x

Here is the difference that we also use dhcp relay. If i remove the netflow statment on the interface and add it again i get the following error:

(config-if)# ip flow monitor MONITOR-INTERVLAN-TRAFFIC input sampler PACKETWOLF

An additional 1:100 sampler, over the configured sampler is applicable for F2 ports

Verify failed - Client 0x82000146, Reason: Tcam Allocation Failure, : DHCP, Netflow Sampler (SVI), Interface: Vlan241

Verify failed - Client 0x83000146, Reason: Tcam Allocation Failure, : DHCP, Netflow Sampler (SVI), Interface: Vlan241

Is there any limitation that i'm not aware of?

More output from the Dist:

Flow exporter CA-NETFLOWCOLLECTOR:

Description: export netflow to CA netflow appliance

Destination: x.x.x.x

VRF: default (1)

Source Interface loopback0 (x.x.x.x)

Export Version 9

Exporter Statistics

Number of Flow Records Exported 0

Number of Templates Exported 0

Number of Export Packets Sent 0

Number of Export Bytes Sent 0

Number of Destination Unreachable Events 0

Number of No Buffer Events 0

Number of Packets Dropped (No Route to Host) 0

Number of Packets Dropped (other) 0

Number of Packets Dropped (LC to RP Error) 0

Number of Packets Dropped (Output Drops) 0

Time statistics were last cleared: Tue Apr 23 09:43:20 2013

show system internal access-list vlan 241

slot 3

=======

Policies in ingress direction:

Policy type Policy Id Policy name

------------------------------------------------------------

DHCP 4 Relay

Netflow profiles in ingress direction:

TCAM Class Profile Flow Monitor

---------------------------------------

INSTANCE 0x8

---------------

Tcam 1 resource usage:

----------------------

Label_b = 0x201

Bank 0

------

IPv4 Class

Policies: DHCP(Relay) [Merged]

Netflow profile: 0

Netflow deny profile: 0

5 tcam entries

0 l4 protocol cam entries

0 mac etype/proto cam entries

0 lous

0 tcp flags table entries

1 adjacency entries

INSTANCE 0xa

---------------

Tcam 1 resource usage:

----------------------

Label_b = 0x201

Bank 0

------

IPv4 Class

Policies: DHCP(Relay) [Merged]

Netflow profile: 0

Netflow deny profile: 0

5 tcam entries

0 l4 protocol cam entries

0 mac etype/proto cam entries

0 lous

0 tcp flags table entries

1 adjacency entries

INSTANCE 0xb

---------------

Tcam 1 resource usage:

----------------------

Label_b = 0x201

Bank 0

------

IPv4 Class

Policies: DHCP(Relay) [Merged]

Netflow profile: 0

Netflow deny profile: 0

5 tcam entries

0 l4 protocol cam entries

0 mac etype/proto cam entries

0 lous

0 tcp flags table entries

1 adjacency entries

No egress policies

Netflow profiles in egress direction:

TCAM Class Profile Flow Monitor

---------------------------------------

slot 4

=======

Policies in ingress direction:

Policy type Policy Id Policy name

------------------------------------------------------------

DHCP 4 Relay

Netflow profiles in ingress direction:

TCAM Class Profile Flow Monitor

---------------------------------------

INSTANCE 0x8

---------------

Tcam 1 resource usage:

----------------------

Label_b = 0x201

Bank 0

------

IPv4 Class

Policies: DHCP(Relay) [Merged]

Netflow profile: 0

Netflow deny profile: 0

5 tcam entries

0 l4 protocol cam entries

0 mac etype/proto cam entries

0 lous

0 tcp flags table entries

1 adjacency entries

No egress policies

Netflow profiles in egress direction:

TCAM Class Profile Flow Monitor

---------------------------------------

Regards

Richard

Richard Strnad · ‎04-25-2013

Got the following answer from tac:

I did a bit of research & found that as of now netflow & dhcl relay is not supported together.  This will be supported in 6.2

There is an enhancement bug already filed for the same. Bug id is CSCtf36357.

Manish Naik · ‎08-31-2014

To Fix this.

we need 2 things

1) Code 6.2(6)

2) In default VDC, enable hardware access-list resource feature bank-mapping.

m.o.andersson_2 · ‎08-31-2014

Thanks manaik, bank-mapping did the trick! In the default vdc configure: "hardware access-list resource feature bank-mapping" and then I was able to have netflow and dhcp relay on the same interface.

I found another thread on the subject as well: https://supportforums.cisco.com/discussion/12075471/nexus-7k-dhcp-relay-w-ingress-netflow-sampling

Again, thanks alot!

ttrese · ‎09-01-2013

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf36357

samuel.heinrich · ‎01-07-2014

I just noticed the changes from yesterday 6 Jan 2014.

It seems that this bug has been fixed in NXOS 6.2(2).

Is there a chance that the bug will be fixed in the 6.1.(x) train aswell?

awatson20 · ‎01-25-2014

We are experiencing this issue on our Nexus 7K's and we are running NX-OS 6.2(2a). Does not look like this is fixed yet.

Amit Singh · ‎01-26-2014

Hi Guys,

The fix was planned originally for 6.2.2 but was pushed to 6.2.6 due some other priorities. This has been fixed in 6.2.6.

Please see the release notes.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/release/notes/62_nx-os_release_note.html#wp648748

Cheers,

-amit singh

junior.beatty · ‎01-29-2014

Just removed the DHCP relays from my interface Vlan and was able to add the ip flow monitor with no issue. Tried adding the dhcp relays back and recevied:

ERROR: Hardware programming failed. Reason: Tcam Allocation Failure

Removed the ip flow monitor and was able to add back the dhcp relays. Looks like it is not fixed yet. I am at 6.2.6.

Christopher Bell · ‎02-19-2014

Just to confirm, upgraded to 6.2.6 to get around having to add the hardware ACL. The ACL was still required after the upgrade.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

m.o.andersson_2 · ‎08-31-2014

This seems to still be a problem. We currently on Nexus 7704 chassi with N77-F348XP-23 with NX-OS version 6.2(8). When will this be fixed?

Edit: This is not a bug, you just need to configure "hardware access-list resource feature bank-mapping"

amalitol · ‎03-21-2018

Hi m.o.andersson_2

Sorry for bother you, but do you I'm having the same problem on Nexus 7706 after migration form Cisco C6509. I want to allow DHCP relay and netflow on the same interface. If I run this command "(config)# hardware access-list resource feature bank-mapping". Does it impact the network in some way?