Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Netflow showing wrong ToS/DSCP value

We are marking all of our SSL (Port 443) traffic coming into the router from the LAN with a DSCP value of af31 and all of our HTTP (Port 80) traffic with a DSCP value of af21. These two protocols show to be more than 70% of the WAN outbound traffic but yet...a Netflow report shows that over 95% of the traffic is CS0 (Default class) and the other two ToS values show to be both less than 1%. How can this be?

Has anyone else experiencing this issue? is this an issue with Cisco netflow exports or an issue with the Solarwinds Netflow application and the way it translates the exports? I am currently working with Cisco TAC to confirm all of our packets getting marked on the Ingress are also being matched on the Egress via an test ACL. So far an test ACL put in place validates the amount of SSL traffic being remarked are getting matched on the outbound test ACL.

If anyone else can shed some light...I would appreciate any feedback.

Find more posts tagged with

Accepted answers

All comments

cnorborg

One question I would have is where are you marking the traffic? Are you marking it on the Ethernet interface of the router that has the WAN interface you are looking at? If so, think about this...

When are Netflow packets sent? Is there one sent when you receive a packet on the inbound interface of a router and another one sent when it is outbound from the same router? Or does a single netflow packet get sent as the packet passes through the router?

From what I understand (and please correct me if I'm wrong people!!), a netflow packet is sent from a router only once for each packet. This is done immediately after the packet is received, that means before any inbound service-policy that would remark the packet and definitely before it hits the outbound interface on the router. This would mean that the info your seeing is the packet as it was first received on the router. The only thing that the router does before it sends out the Netflow packet is determine the outbound interface, probably from the CEF cache, which might also be a big reason of why you need CEF turned on when running Netflow.

I figured this out by looking at the traffic from both ends of the WAN link (at least on my network). Picture this. Traffic marked CS0 comes into the router on G0/1, at which point a netflow packet is immediately sent out. Then, the service-policy on the inbound traffic inspects the traffic and sets its marking to AF31. The packet is then sent out on the outbound Serial0/1 using the QoS policy-map attached there. From your Netflow software if you look at this traffic on either G0/1 or S0/1 you see it as CS0 because the Netflow packet was sent out while the traffic was still marked that. But, the outbound QoS policy did recognize the AF31, AND if you look at the traffic on the inbound serial interface on the destination router, you will see it as AF31. That's at least what I saw on one of my WAN links from the routers at each end. Maybe there is another way to configure Netflow to reflect these changes as the packet passes through the router, but I don't think so.

cnorborg

Forgot to mention, if your not remarking on the same router, that would suggest to me that your not remarking properly or that your dropping your markings somewhere else, maybe on a LAN switch?

misoto

Yes we are marking the traffic only on the Ethernet interface coming in on the local LAN and configured the two WAN ports with CBWFQ to look at those markings. The two WAN Interface are the only interface that I have the Netflow configured on. I use to have them on all the interfaces (including LAN Interface) but when we piloted NetQoS, they doubled the data anytime we had more than one interface configured for Netflow. So I am not sure if it sends one netflow packet per interface, if so...would it send one for each WAN interface since these are the only two interfaces with Netflow configured? So if the router only sends a netflow packet once, then depending on the route that it takes out to the WAN...each WAN interface should only see the packet once, correct?

Now I agree with the you network scenario you described but again I removed any Netflow configuration on the LAN interface so when the packet comes into the router from the LAN, the Ethernet interface should not be sending a Netflow packet because the Ethernet interface does not have netflow configuraton. The Netflow packet should be sent after the remarking of the packet when it hits one of the two WAN interfaces...correct? Yes we have CEF turned on as well.

cnorborg

Doubling the traffic? Hmm.. I suppose that depends on how you look at it. Lets say you want to do a report on all the traffic from router A to router B. On router A your monitoring the ethernet interface and the serial interface. If you do a report on just Router A that includes both your Ethernet and Serial interface, since the traffic does cross both interfaces it would be doubled. You should do the report only on one of the two interfaces. This is normal.

However, if you look at just the Serial interface and see double the traffic, that's not. If its this way I'd like to see your configuration. Are you doing just "ip route-cache flow", or are you doing one or both of "ip flow ingress" and "ip flow egress". At the most I do "ip route-cache flow" and "ip flow ingress" and it seems to do everything good for me, of course I'm mainly using NetQos right now (another product) due to problems I had with demo'ing NTM, but if NTM is working on your router I wouldn't expect to see doubling the traffic.

So, to answer your question "So if the router only sends a netflow packet once, then depending on the route that it takes out to the WAN...each WAN interface should only see the packet once, correct?". The answer would be "yes", actually only one of the WAN interfaces should see the packet, not both. One packet should not take two different interfaces!! While you might see the same packet on both its inbound and outbound interfaces, if your only looking at one interface you should only see the traffic once.

As far as not seeing the correct QoS markings, try turning on Netflow on the destination router. I bet the packets you marked on the source router are being seen correctly marked on the destination router.