Specific Traffic coming from a source through R1, when the traffic leaves router R1 egress interface fa0/1, netflow capture is capturing traffic as CS3(DSCP), Same result on R2, for traffic leaving R2 egress as CS3 as well. Now when the traffic arrives on R3 ingress interface, i am seeing dscp 29 based on the output below is correct. Looks like based on the result, netflow is reporting incorrect dscp marking for traffic going out of R1/R2 interface and i think this is due to the behavior of the ingress based netflow export configuration.
I'm i right in saying that this issue can be fixed by enabling egress based netFlow data export on the routers since i only have ingress based netflow enable for the netflow cache to populated the outgoing traffic with the correct dscp marking?
Interface fa1/0 ip flow ingress service-policy output INT_OUT_SPECIAL end
R1# sh policy-map interface fa1/0
Class-map: SAN (match-all) 415875553 packets, 449859591777 bytes 30 second offered rate 19333000 bps, drop rate 0000 bps Match: ip dscp 29 Queueing queue limit 869 packets (queue depth/total drops/no-buffer drops) 0/71/0 (pkts output/bytes output) 415875482/449859522529 bandwidth remaining 35%
NETFLOW RESULT (FOR OUTGOING TRAFFIC) BASED ON NETFLOW USER USE TRAFFIC WITH DSCP CS3!!!!NOT DSCP 29
Interface fa1/0 ip flow ingress service-policy output INT_OUT_SPECIAL
Yes, enabling egress will fix this however, you will be exporting twice the volume of NetFlow. Make sure your NetFlow reporting tool can handle both at the same time. Mike Patterson wrote a blog awhile back on "Best Practices in Egress NetFlow Reporting".
This is an expected behaviour. NetFlow accounting with 'ip flow ingress' command captures only IN traffic for the interfaces. Since the exit interface information is available from the ingress NetFlow packets, most of the NetFlow tools capture the OUT traffic for the receiving interface. But, when it comes to QoS markings, this accounting causes incorrect reports as the captured DSCP IN is marked as DSCP OUT.
As the link says, Egress Netflow will certainly be able to show the DSCP OUT properly. ManageEngine even combines multiple monitoring technologies into a single tool. See the below link to know about this:
Great news.. And by the way, ManageEngine released a new version of NetFlow reporting with enhanced NetFlow v9 support and sampling support. You should also check the QoS reporting feature which can report on QoS policies for each match statement.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...