Quite a number of organizations uses some form of DSL connection for cost effective connectivity to the Internet of which ADSL is gaining more popularity due to the advantages it provides like higher security, IP Address conservation, per session accounting, etc. The ADSL connection requires the device to have a Dialer interface which establishes the connection after which a Virtual Access Interface will be created and the PPPoE session will run on this Virtual Access Interface. The Virtual Access Interface thus created inherits the properties of the Dialer interface.
Many users who use NetFlow data to monitor such interfaces would have seen that the Dialer Interface reports only outbound traffic and a Virtual Interface is automatically discovered and reporting inbound traffic. Let us see what is the reason for this and how NetFlow Analyzer can help.
As stated, it is the Dialer Interface created by the user that establishes the connection to the DSL provider and is the actual interface available on the router. Just for your information, the process of how a PPPoE connection is established is outlined below:
1. The router broadcasts a PPPoE Active Discovery Initiation (PADI) packet.
2. When the ISP’s access concentrator receives a PADI packet, it sends a PPPoE Active Discovery Offer (PADO) packet to the client.
3. The host then looks through the many PADO packets it receives (as the PADI was a broadcast) and chooses one based on a few criterion.
4. The host then connects to the ISP’s concentrator by sending a PPPoE Active Discovery Request (PADR) packet.
4. The access concentrator the accepts the connection by sending a confirmation packet to the client.
Once the confirmation is received, a Virtual Access Interface which inherits the properties of the Dialer interface is created and the session will run on this interface. Here, the traffic will leave the router through the Dialer Interface. This is how Cisco has implemented routing via dialer interfaces. It is to this interface on the router that the default route points thus taking the OUT traffic through the Dialer interface. When traffic comes in, it enters the network through the Virtual Access Interface as this is the interface that established the DSL connection.
To monitor the interfaces for traffic and bandwidth analysis, NetFlow can be enabled only on the interfaces that appears in the configuration. ie. the Dialer Interface along with the other physical interfaces and logical interfaces on the router. The Virtual Interface will automatically inherit the Dialer interface’s properties when the DSL connection is to be established and will not show up in the configuration table.
When NetFlow data is exported, the IN traffic is captured on the Virtual Access Interface and the OUT traffic is captured on the Dialer Interface as this is how traffic has traversed.
A NetFlow cache entry with Dialer and Virtual Interface traffic will be as below:
IN TRAFFIC OUT TRAFFIC
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 192.16.3.7 Di0 20.4.10.14 06 043B 0747 2
Fa0/0 192.16.3.7 Di0 83.18.4.58 11 7B9A 05D2 1
Fa0/0 142.12.3.9 Di0 64.3.93.8 06 0BD0 01BB 1
Vi2 82.14.5.1 Local 91.63.6.3 32 8D41 B1A4 11
Vi2 84.20.12.46 Local 91.63.6.3 32 0E87 9CDC 170
Vi2 82.14.5.1 Local 91.63.6.3 2F 0000 0000 11
Fa0/0 192.16.3.7 Di0 92.37.54.12 06 070F 0DBB 4
Vi2 83.18.1.8 Fa0/0 91.63.6.3 11 05D2 7B9A 1
Vi2 92.3.4.72 Fa0/0 91.63.6.3 06 0DBB 070F 8
Vi2 8.23.15.46 Local 91.63.6.3 2F 0000 0000 170
Vi2 13.11.23.2 Fa0/0 91.3.6.3 11 D0A2 7B9A 1
Vi2 64.2.18.8 Fa0/0 91.3.6.3 06 01BB 0BD0 1
Fa0/0 19.16.3.7 Di0 13.11.23.23 11 7B9A D0A2 2
Fa0/0 12.16.3.7 Di0 21.12.23.25 11 7B9A AAF5 3
* All the IP Address have been changed and are randomly entered.
As you can see, NetFlow enabled on the Virtual Access interface has captured the IN traffic (categorized under SrcIf which is Source Interface) for the DSL connection and since traffic exits the router via the Dialer Interface due to Cisco’s routing, the OUT traffic (categorized under DstIf which is Destination Interface) for the DSL is captured from the Dialer interface. In order to see the combined traffic statistics for the DSL connection, you need to combine the graphs
for the Dialer Interface and the Virtual Interface.
Looking at a report for the interfaces, you can see that the graphs shows IN traffic for the Virtual Access Interface and the OUT traffic for the Dialer Interface and its not an easy job imagining them to be one especially when you want to see detailed reports on application, source, destination and both the IN and OUT traffic points.
The Interface Grouping feature in NetFlow Analyzer lets you group together different interfaces either from the same router or different devices to show the combined traffic statistics in a single graph. To create an Interface Graph, navigate to Device Group (option from Product Settings) and from here click on the Interface Group tab. From this link, you can select the interfaces to be grouped. You will be given an option to enter the Interface Group speed and here enter the speed of the Dialer interface (Virtual Access Interface wll have the same speed as it inherits the Dialers properties) and save the group.
The interface group created will show the combined graphs for both interfaces thus helping you get a clearer picture on the IN and OUT traffic for DSL link and also help in generating a complete report rather than having separate reports generated for each interface and then combining them. NetFlow Analyzer ensures that its not just the bandwidth monitoring that is made wasy, but the report generation too.
And a great thanks to Alec Waters who updated us about the behavior of ADSL connection through his post in our forums. You can follow Alec Waters on ManageEngine community from here.
Download | Interactive Demo | Product overview video | Twitter | Customers
Regards,
Don Thomas Jacob
