Enable egress based NetFlow to get the real QoS markings

One of the common problems Network Administrators face while using ingress based NetFlow configuration is reporting of incorrect DSCP markings for the traffic going out from the WAN interfaces. This is absolutely due to the behavior of the ingress based NetFlow export configuration and this can be fixed by enabling egress based NetFlow data export.

Most of the enterprises deploy ISP provisioned circuits to its branch offices and configure output QoS markings on WAN interfaces for traffic prioritization. This ensures that business critical applications are given high priority for optimum performance. The following picture depicts a typical enterprise way of connecting branch offices and datacenters.

An Enterprise headquarters is connected to its branch offices and datacenter using an ISP circuit. The edge router in HQ is enabled with ingress based NetFlow data export. Let’s see how NetFlow Analyzer interprets QoS markings using the flow record.

As I mentioned earlier NetFlow data export is ingress based. Whenever a host with IP address 1.1.1.1 inside the LAN network starts sending data to server B in the branch office, the HQ router creates a NetFlow record in the cache with the following entries.

FieldSrc IPDst IPPortProtocolDSCPSrc InfDst Inf
Data192.168.1.210.1.10.12113TCPDefaultLAN – Fa0/0WAN-Serial0/0/0

In the meanwhile due to the output QoS policy configuration in the WAN interface, the DSCP code of the traffic is altered to a high priority value and routed. And this priority change is not captured in the ingress based NetFlow traffic exported to Analyzer server since the flow cache was populated before the QoS policy action. Due to this NetFlow Analyzer reports the right DSCP value for the incoming traffic on the LAN interface and since the same flow record is used to calculate the out traffic for the WAN, WAN interface does not report the prioritized DSCP value on the outgoing traffic.

This issue can be fixed by enabling egress based NetFlow data export on the routers. The NetFlow Egress Support feature allows NetFlow accounting to be implemented for egress (outgoing) traffic on an interface or sub interface. Once the egress configuration is applied, NetFlow cache is populated with the information pertaining to outgoing traffic from any particular interface. For the same example which we have discussed above, the flow record will look like

FieldSrc IPDst IPPortProtocolDSCPSrc InfDst Inf
Data192.168.1.210.1.10.12113TCPAF1LAN – Fa0/0WAN-Serial0/0/0

As you see in the DSCP field now egress configuration reports the prioritized DSCP value since the NetFlow cache population happens after the promotion of DSCP value.

Additionally this egress based exports are also helpful to see the internal LAN IP addresses in the conversation reports, while NATing is in place on the router. Egress flows holds the local LAN IP addresses instead of the NATed IP address.

Please click here for information on configuring egress based NetFlow export. This will give you more information on pre-requisites and configuration commands. Kindly write to support@netflowanalyzer.com for your questions.

Thanks

Raj