08-29-2011 01:36 AM
Hi Folks,
Recently we have configured few of our routers to export FNF (Flexible NetFlow), some of our router are exporting NetFlow V9 packets with fields as mentioned in the NetFlow V9 RFC. We noticed that one router is exporting NetFlow V9 with the field value different from RFC. I have attached the screen shot which shows that Field 194 is assigned for TOS. Whereas according RFC it is 5. Is there any specifc reason begind this or this is an IOS related issue.
08-29-2011 06:29 AM
This is an interesting question and I have run into it myself. As you pointed out, the NetFlow RFC 3954 makes reference to ToS as the 5th field and makes NO reference to DSCP. The IPFIX standard information elements outlined in RFC 5102 lists both ToS (5) and ipDiffServCodePoint (195).
Why have Both?
ToS is an 8 bit field that includes DSCP which is a 6 bit field. This being said, I could not find a Flexible NetFlow document that would make reference to both however, I know Cisco sometimes supports both in the same export. Be aware that Cisco NetFlow v5 and traditional NetFlow v9 only export ToS. I'm sure you are aware that FnF is an extension of NetFlow v9 and supports both ToS and / or DSCP depending on the implementation.
Why did this Happen?
Cisco is a big company. My guess is that communication doesn't always occur on every field that an engineer wants to export. Lets hope it is easy for them to address. In the mean time, what can you do?
Look for a Flexible NetFlow Reporting solution that supports reporting on either but, you need to be using our beta release. See attached.
Call us if you would like to test Scrutinizer v8.6.2 [beta].
Jake
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide