cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2075
Views
0
Helpful
6
Replies

Netflow result incorrect dscp marking..

francisco_1
Level 7
Level 7

Specific Traffic coming from a source through R1, when the traffic leaves router R1 egress interface fa0/1, netflow capture is capturing traffic as CS3(DSCP), Same result on R2, for traffic leaving R2 egress as CS3 as well. Now when the traffic arrives on R3 ingress interface, i am seeing dscp 29 based on the output below is correct.  Looks like based on the result, netflow is reporting incorrect dscp marking for traffic going out of R1/R2 interface and i think this is due to the behavior of the ingress based netflow export configuration.

I'm i right in saying that this issue can be fixed by enabling egress based netFlow data export on the routers since i only have ingress based netflow enable for the netflow cache to populated the outgoing traffic with the correct dscp marking?

Please help...


R1 
#####

Interface fa1/0
ip flow ingress
service-policy output INT_OUT_SPECIAL
end

R1# sh policy-map interface fa1/0

Class-map: SAN (match-all) 
      415875553 packets, 449859591777 bytes
      30 second offered rate 19333000 bps, drop rate 0000 bps
      Match:  ip dscp 29
      Queueing
      queue limit 869 packets
      (queue depth/total drops/no-buffer drops) 0/71/0
      (pkts output/bytes output) 415875482/449859522529
      bandwidth remaining 35%

NETFLOW RESULT (FOR OUTGOING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29


R2
#####

Interface fa1/0
ip flow ingress
service-policy output INT_OUT_SPECIAL


R2# sh policy-map interface fa1/0
Class-map: STORAGEQ (match-all) 
      452280090 packets, 489610474886 bytes
      30 second offered rate 19333000 bps, drop rate 0000 bps
      Match:  ip dscp 29
      Queueing
      queue limit 869 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 452280090/489610474886
      bandwidth remaining 35%

NETFLOW RESULT (FOR OUTGOING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29


R3
#####

R3#sh policy-map interface  fa1/1

Class-map: STORAGEQ (match-all)
      2219060065 packets, 256197893380 bytes
      30 second offered rate 1475000 bps, drop rate 0 bps
      Match: ip dscp 29
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      bandwidth remaining 35% (217700 kbps)


NETFLOW RESULT (FOR INCOMING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP 29

6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

R1
#####

Interface fa1/0
ip flow ingress
service-policy output INT_OUT_SPECIAL
end

R1# sh policy-map interface fa1/0

Class-map: SAN (match-all)
      415875553 packets, 449859591777 bytes
      30 second offered rate 19333000 bps, drop rate 0000 bps
      Match:  ip dscp 29
      Queueing
      queue limit 869 packets
      (queue depth/total drops/no-buffer drops) 0/71/0
      (pkts output/bytes output) 415875482/449859522529
      bandwidth remaining 35%

NETFLOW RESULT (FOR OUTGOING TRAFFIC)
BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29

NetFlow is sampling flows entering the router.

Your service-policy is matching against flows leaving the router.

They are matching traffic going on different directions.

If your router supports Egress NetFlow, you should configure it on the interface to determine if the service-policy and netflow reporting do match.

Regards

Edison

Edison,

that's what i thought!

I will configure Egress NetFlow and see if the service-policy and netflow reporting do match.

Will update the post with my findings..

jakewilson
Level 1
Level 1

Yes, enabling egress will fix this however, you will be exporting twice the volume of NetFlow.  Make sure your NetFlow reporting tool can handle both at the same time.  Mike Patterson wrote a blog awhile back on "Best Practices in Egress NetFlow Reporting".

http://www.plixer.com/blog/scrutinizer/best-practices-in-egress-netflow-reporting/

Jake

Don Jacob
Level 1
Level 1

Hi Francisco,

This is an expected behaviour. NetFlow accounting with 'ip flow ingress' command captures only IN traffic for the interfaces. Since the exit interface information is available from the ingress NetFlow packets, most of the NetFlow tools capture the OUT traffic for the receiving interface. But, when it comes to QoS markings, this accounting causes incorrect reports as the captured DSCP IN is marked as DSCP OUT.

You can check the below link for details:

http://blogs.manageengine.com/netflowanalyzer/2009/05/26/enable-egress-based-netflow-to-get-the-real-qos-markings

As the link says, Egress Netflow will certainly be able to show the DSCP OUT properly. ManageEngine even combines multiple monitoring technologies into a single tool. See the below link to know about this:

http://blogs.manageengine.com/netflowanalyzer/2009/10/12/manageengine-netflow-analyzer-deadly-combination-of-multiple-cisco-ios-technologies-for-detailed-network-visibility-and-forensics

Hope this should help.

Regards,

Don Jacob

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Thanks all for your excellent comments.

I am planning to roll out Egress Netflow and upgrade from v5 to v9.

Francisco

Great news.. And by the way, ManageEngine released a new version of NetFlow reporting with enhanced NetFlow v9 support and sampling support. You should also check the QoS reporting feature which can report on QoS policies for each match statement.

Check the below blog for more details:

http://blogs.manageengine.com/netflowanalyzer/2010/05/06/whats-new-in-netflow-analyzer-8

Regards,

Don Thomas

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: