04-29-2010 10:21 AM - edited 03-06-2019 10:52 AM
Specific Traffic coming from a source through R1, when the traffic leaves router R1 egress interface fa0/1, netflow capture is capturing traffic as CS3(DSCP), Same result on R2, for traffic leaving R2 egress as CS3 as well. Now when the traffic arrives on R3 ingress interface, i am seeing dscp 29 based on the output below is correct. Looks like based on the result, netflow is reporting incorrect dscp marking for traffic going out of R1/R2 interface and i think this is due to the behavior of the ingress based netflow export configuration.
I'm i right in saying that this issue can be fixed by enabling egress based netFlow data export on the routers since i only have ingress based netflow enable for the netflow cache to populated the outgoing traffic with the correct dscp marking?
Please help...
R1
#####
Interface fa1/0
ip flow ingress
service-policy output INT_OUT_SPECIAL
end
R1# sh policy-map interface fa1/0
Class-map: SAN (match-all)
415875553 packets, 449859591777 bytes
30 second offered rate 19333000 bps, drop rate 0000 bps
Match: ip dscp 29
Queueing
queue limit 869 packets
(queue depth/total drops/no-buffer drops) 0/71/0
(pkts output/bytes output) 415875482/449859522529
bandwidth remaining 35%
NETFLOW RESULT (FOR OUTGOING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29
R2
#####
Interface fa1/0
ip flow ingress
service-policy output INT_OUT_SPECIAL
R2# sh policy-map interface fa1/0
Class-map: STORAGEQ (match-all)
452280090 packets, 489610474886 bytes
30 second offered rate 19333000 bps, drop rate 0000 bps
Match: ip dscp 29
Queueing
queue limit 869 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 452280090/489610474886
bandwidth remaining 35%
NETFLOW RESULT (FOR OUTGOING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29
R3
#####
R3#sh policy-map interface fa1/1
Class-map: STORAGEQ (match-all)
2219060065 packets, 256197893380 bytes
30 second offered rate 1475000 bps, drop rate 0 bps
Match: ip dscp 29
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth remaining 35% (217700 kbps)
NETFLOW RESULT (FOR INCOMING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP 29
04-29-2010 02:20 PM
R1
#####
Interface fa1/0
ip flow ingress
service-policy output INT_OUT_SPECIAL
end
R1# sh policy-map interface fa1/0
Class-map: SAN (match-all)
415875553 packets, 449859591777 bytes
30 second offered rate 19333000 bps, drop rate 0000 bps
Match: ip dscp 29
Queueing
queue limit 869 packets
(queue depth/total drops/no-buffer drops) 0/71/0
(pkts output/bytes output) 415875482/449859522529
bandwidth remaining 35%
NETFLOW RESULT (FOR OUTGOING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29
NetFlow is sampling flows entering the router.
Your service-policy is matching against flows leaving the router.
They are matching traffic going on different directions.
If your router supports Egress NetFlow, you should configure it on the interface to determine if the service-policy and netflow reporting do match.
Regards
Edison
04-29-2010 03:43 PM
Edison,
that's what i thought!
I will configure Egress NetFlow and see if the service-policy and netflow reporting do match.
Will update the post with my findings..
05-03-2010 03:43 AM
Yes, enabling egress will fix this however, you will be exporting twice the volume of NetFlow. Make sure your NetFlow reporting tool can handle both at the same time. Mike Patterson wrote a blog awhile back on "Best Practices in Egress NetFlow Reporting".
http://www.plixer.com/blog/scrutinizer/best-practices-in-egress-netflow-reporting/
Jake
05-05-2010 06:54 AM
Hi Francisco,
This is an expected behaviour. NetFlow accounting with 'ip flow ingress' command captures only IN traffic for the interfaces. Since the exit interface information is available from the ingress NetFlow packets, most of the NetFlow tools capture the OUT traffic for the receiving interface. But, when it comes to QoS markings, this accounting causes incorrect reports as the captured DSCP IN is marked as DSCP OUT.
You can check the below link for details:
As the link says, Egress Netflow will certainly be able to show the DSCP OUT properly. ManageEngine even combines multiple monitoring technologies into a single tool. See the below link to know about this:
Hope this should help.
Regards,
Don Jacob
05-07-2010 05:06 AM
Thanks all for your excellent comments.
I am planning to roll out Egress Netflow and upgrade from v5 to v9.
Francisco
05-07-2010 06:18 AM
Great news.. And by the way, ManageEngine released a new version of NetFlow reporting with enhanced NetFlow v9 support and sampling support. You should also check the QoS reporting feature which can report on QoS policies for each match statement.
Check the below blog for more details:
http://blogs.manageengine.com/netflowanalyzer/2010/05/06/whats-new-in-netflow-analyzer-8
Regards,
Don Thomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide