MPLS, Netflow and Orion NTA - a few questions

Question

Hi,

I've got a few questions around how Orion Netflow Traffic Analyser handles MPLS Netflow and its suitability as a product for our network environment.

I've attached a (very) high-level diagram that shows a basic overview of our network topology. Essentially there is a core network of MPLS PE routers (Cisco 6509s running 12.2(33)SXI3) that each have multiple (over a hundred in some locations) edge CE routers attached (Cisco 3550s, 3560s & 3750s) running VRF-lite and potentially multiple VRFs.

All PE routers are dual-homed between two 'key' core routers and the traffic flowing through the MPLS interfaces on those two routers represents the majority of traffic on the network (with the obvious exception of traffic between two CE sites attached to the same PE). Some of the PEs just represent points-of-presence for the aggregation of sites but others are also data centres and the network is managed in-house, i.e. the MPLS network is not provided by a commercial service provider.

What I'd like to know is whether I can export the (ingress/egress/both?) Netflow information associated with the MPLS interfaces on PE 1 and PE 2 into Orion NTA (around 20 interfaces or so) and are there any compromises by doing this, i.e. how does NTA display data associated with different VRFs, will any data be missing from the Netflow record, etc?

Is the alternative collecting the ingress flows on all the non-MPLS interfaces on the PEs from the CEs (which would represent hundreds of interfaces)?

An example of one of the PE MPLS interfaces is:-

!
interface GigabitEthernet9/1
 description *** 1 Gig Fibre to xxxxxxxxx ***
 mtu 9216
 ip address 10.x.x.x 255.255.255.252
 ip pim sparse-dense-mode
 ip router isis
 mls qos trust dscp
 mpls label protocol ldp
 mpls ip
 no isis hello padding
end
!

with a interface to one of the CE routers looking something like this:-

!
interface GigabitEthernet1/9
 description *** Site A ***
 no ip address
 speed 10
 duplex full
!
interface GigabitEthernet1/9.2962
 description *** Site A management network connection***
 encapsulation dot1Q 2962
 ip address 10.x.x.x 255.255.255.252
!
interface GigabitEthernet1/9.4059
 description *** Site A VRF1 ***
 encapsulation dot1Q 4059
 ip vrf forwarding VRF1
 ip address 10.x.x.x 255.255.255.252
!
interface GigabitEthernet1/9.1793
 description *** Site A VRF2 ***
 encapsulation dot1Q 1793
 ip vrf forwarding VRF2
 ip address 10.x.x.x 255.255.255.252
!

Any advice on the subject would be gratefully received.

thanks

Matthew

Simple MPLS POPS NTA.jpg

bgfl-tech · Answer

Thanks Andy. In terms of standard Netflow fields will NTA still report on all the usual fields - source, destination, ports, etc. of the underlying IP traffic passing through those MPLS interfaces?

As all the seperate VRFs are our own (for different functional areas) we don't actually have any duplication of IP addresses and could identify VPNs/VRFs by source/destination addresses.

Essentially, what does NTA collate when sent flows generated using the ip flow ingress / ip flow egress comamnds under an MPLS interface?

As we're already made an investment in the Orion family I'd prefer to go with NTA if possible as opposed to a seperate product with its own infrastructure requirements as long as I can get a good understanding of what it can deliver in our environment.

thanks

Matthew

!
interface GigabitEthernet9/1
 description *** 1 Gig Fibre to xxxxxxxxx ***
 mtu 9216 ip address 10.x.x.x 255.255.255.252
 ip flow ingress 
 ip flow egress
 ip pim sparse-dense-mode
 ip router isis
 mls qos trust dscp
 mpls label protocol ldp
 mpls ip
 no isis hello padding
end
!

'mpls netflow egress' translated to 'ip flow egress'

mcbridea · Answer

I'll mark this for the NTA PM to look at and comment on the the MPLS support. I've looked over a lot of collectors, some have FNF for a couple of use cases but I have not seen any supporting MPLS fields.

bgfl-tech · Answer

Hi Andy,

Thanks for the reply. Is this something you're looking to incorporate into NTA at any point? When you say it doesn't exist today are you talking specifically about NTA or your understanding of the capabilities of Netflow collectors in general?

My organisation already uses NPM and NCM which is why NTA is the first Netflow app I've looked into.

Although I haven't shown in on the diagram PE1 and PE2 also have CEs connected - I just admitted that for simplicity’s sake.

Thanks

Matthew