cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1199
Views
0
Helpful
1
Replies

ToS filed change in NetFlow V9 packets

prawin_2608
Level 1
Level 1

Hi Folks,

Recently we have configured few of our routers to export FNF (Flexible NetFlow), some of our router are exporting NetFlow V9 packets with fields as mentioned in the NetFlow V9 RFC. We noticed that one router is exporting NetFlow V9 with the field value different from RFC. I have attached the screen shot which shows that Field 194 is assigned for TOS. Whereas according RFC it is 5. Is there any specifc reason begind this or this is an IOS related issue.


1 Reply 1

jakewilson
Level 1
Level 1

This is an interesting question and I have run into it myself. As you pointed out, the NetFlow RFC 3954 makes reference to ToS as the 5th field and makes NO reference to DSCP. The IPFIX standard information elements outlined in RFC 5102 lists both ToS (5) and ipDiffServCodePoint (195).

Why have Both?

ToS is an 8 bit field that includes DSCP which is a 6 bit field. This being said, I could not find a Flexible NetFlow document that would make reference to both however, I know Cisco sometimes supports both in the same export. Be aware that Cisco NetFlow v5 and traditional NetFlow v9 only export ToS. I'm sure you are aware that FnF is an extension of NetFlow v9 and supports both ToS and / or DSCP depending on the implementation.

  • Cisco NBAR (requires FnF) for example, it will export both ToS = ipClassOfService (5) and DSCP ipDiffServCodePoint (195). See attached.

         

  • Cisco Performance Monitoring for Medianets (requires FnF) for example, it only allows for the export of DSCP ipDiffServCodePoint (195).

Why did this Happen?

Cisco is a big company. My guess is that communication doesn't always occur on every field that an engineer wants to export. Lets hope it is easy for them to address. In the mean time, what can you do?

Look for a Flexible NetFlow Reporting solution that supports reporting on either but, you need to be using our beta release. See attached.

Call us if you would like to test Scrutinizer v8.6.2 [beta].

Jake

Join NetFlow Developments on Linkedin

Review Cisco Networking for a $25 gift card