One of the common problems Network Administrators face while using ingress based NetFlow configuration is reporting of incorrect DSCP markings for the traffic going out from the WAN interfaces. This is absolutely due to the behavior of the ingress based NetFlow export configuration and this can be fixed by enabling egress based NetFlow data export.

Most of the enterprises deploy ISP provisioned circuits to its branch offices and configure output QoS markings on WAN interfaces for traffic prioritization. This ensures that business critical applications are given high priority for optimum performance. The following picture depicts a typical enterprise way of connecting branch offices and datacenters.

An Enterprise headquarters is connected to its branch offices and datacenter using an ISP circuit. The edge router in HQ is enabled with ingress based NetFlow data export. Let’s see how NetFlow Analyzer interprets QoS markings using the flow record.

As I mentioned earlier NetFlow data export is ingress based. Whenever a host with IP address 1.1.1.1 inside the LAN network starts sending data to server B in the branch office, the HQ router creates a NetFlow record in the cache with the following entries.

Field Src IP Dst IP Port Protocol DSCP Src Inf Dst Inf
Data 192.168.1.2 10.1.10.1 2113 TCP Default LAN – Fa0/0 WAN-Serial0/0/0

In the meanwhile due to the output QoS policy configuration in the WAN interface, the DSCP code of the traffic is altered to a high priority value and routed. And this priority change is not captured in the ingress based NetFlow traffic exported to Analyzer server since the flow cache was populated before the QoS policy action. Due to this NetFlow Analyzer reports the right DSCP value for the incoming traffic on the LAN interface and since the same flow record is used to calculate the out traffic for the WAN, WAN interface does not report the prioritized DSCP value on the outgoing traffic.

This issue can be fixed by enabling egress based NetFlow data export on the routers. The NetFlow Egress Support feature allows NetFlow accounting to be implemented for egress (outgoing) traffic on an interface or sub interface. Once the egress configuration is applied, NetFlow cache is populated with the information pertaining to outgoing traffic from any particular interface. For the same example which we have discussed above, the flow record will look like

Field Src IP Dst IP Port Protocol DSCP Src Inf Dst Inf
Data 192.168.1.2 10.1.10.1 2113 TCP AF1 LAN – Fa0/0 WAN-Serial0/0/0

As you see in the DSCP field now egress configuration reports the prioritized DSCP value since the NetFlow cache population happens after the promotion of DSCP value.

Additionally this egress based exports are also helpful to see the internal LAN IP addresses in the conversation reports, while NATing is in place on the router. Egress flows holds the local LAN IP addresses instead of the NATed IP address.

Please click here for information on configuring egress based NetFlow export. This will give you more information on pre-requisites and configuration commands. Kindly write to support@netflowanalyzer.com for your questions.

Thanks

Raj

  1. Hi Fred,

    Thanks for the comment. Let me know if you use Flexible NetFlow. It gives you outgoing TOS in ingress flows itself.

    Thanks
    Raj

  2. hassarfj

    very helpful – thank you