6 Replies Latest reply on Jan 27, 2009 2:54 PM by Craig Norborg

    Netflow showing wrong ToS/DSCP value

    misoto

      We are marking all of our SSL (Port 443) traffic coming into the router from the LAN with a DSCP value of af31 and all of our HTTP (Port 80) traffic with a DSCP value of af21.  These two protocols show to be more than 70% of the WAN outbound traffic but yet...a Netflow report shows that over 95% of the traffic is CS0 (Default class) and the other two ToS values show to be both less than 1%.  How can this be?

      Has anyone else experiencing this issue? is this an issue with Cisco netflow exports or an issue with the Solarwinds Netflow application and the way it translates the exports?  I am currently working with Cisco TAC to confirm all of our packets getting marked on the Ingress are also being matched on the Egress via an test ACL.  So far an test ACL put in place validates the amount of SSL traffic being remarked are getting matched on the outbound test ACL. 

      If anyone else can shed some light...I would appreciate any feedback.

        • Re: Netflow showing wrong ToS/DSCP value
          Craig Norborg

          One question I would have is where are you marking the traffic?   Are you marking it on the Ethernet interface of the router that has the WAN interface you are looking at?   If so, think about this...

          When are Netflow packets sent?  Is there one sent when you receive a packet on the inbound interface of a router and another one sent when it is outbound from the same router?   Or does a single netflow packet get sent as the packet passes through the router?

          From what I understand (and please correct me if I'm wrong people!!), a netflow packet is sent from a router only once for each packet.  This is done immediately after the packet is received, that means before any inbound service-policy that would remark the packet and definitely before it hits the outbound interface on the router.   This would mean that the info your seeing is the packet as it was first received on the router.  The only thing that the router does before it sends out the Netflow packet is determine the outbound interface, probably from the CEF cache, which might also be a big reason of why you need CEF turned on when running Netflow.

          I figured this out by looking at the traffic from both ends of the WAN link (at least on my network).   Picture this.  Traffic marked CS0 comes into the router on G0/1, at which point a netflow packet is immediately sent out.  Then, the service-policy on the inbound traffic inspects the traffic and sets its marking to AF31.  The packet is then sent out on the outbound Serial0/1 using the QoS policy-map attached there.   From your Netflow software if you look at this traffic on either G0/1 or S0/1 you see it as CS0 because the Netflow packet was sent out while the traffic was still marked that.  But, the outbound QoS policy did recognize the AF31, AND if you look at the traffic on the inbound serial interface on the destination router, you will see it as AF31.   That's at least what I saw on one of my WAN links from the routers at each end.  Maybe there is another way to configure Netflow to reflect these changes as the packet passes through the router, but I don't think so.

            • Re: Netflow showing wrong ToS/DSCP value
              Craig Norborg

              Forgot to mention, if your not remarking on the same router, that would suggest to me that your not remarking properly or that your dropping your markings somewhere else, maybe on a LAN switch?

                • Re: Netflow showing wrong ToS/DSCP value
                  misoto

                  Yes we are marking the traffic only on the Ethernet interface coming in on the local LAN and configured the two WAN ports with CBWFQ to look at those markings.  The two WAN Interface are the only interface that I have the Netflow configured on.  I use to have them on all the interfaces (including LAN Interface) but when we piloted NetQoS, they doubled the data anytime we had more than one interface configured for Netflow.   So I am not sure if it sends one netflow packet per interface, if so...would it send one for each WAN interface since these are the only two interfaces with Netflow configured?  So if the router only sends a netflow packet once, then depending on the route that it takes out to the WAN...each WAN interface should only see the packet once, correct? 

                  Now I agree with the you network scenario you described but again I removed any Netflow configuration on the LAN interface so when the packet comes into the router from the LAN, the Ethernet interface should not be sending a Netflow packet because the Ethernet interface does not have netflow configuraton.  The Netflow packet should be sent after the remarking of the packet when it hits one of the two WAN interfaces...correct?  Yes we have CEF turned on as well.

                    • Re: Netflow showing wrong ToS/DSCP value
                      Craig Norborg

                      Doubling the traffic?   Hmm..  I suppose that depends on how you look at it.  Lets say you want to do a report on all the traffic from router A to router B.   On router A your monitoring the ethernet interface and the serial interface.  If you do a report on just Router A that includes both your Ethernet and Serial interface, since the traffic does cross both interfaces it would be doubled.  You should do the report only on one of the two interfaces.   This is normal.

                      However, if you look at just the Serial interface and see double the traffic, that's not.   If its this way I'd like to see your configuration.   Are you doing just "ip route-cache flow", or are you doing one or both of "ip flow ingress" and "ip flow egress".   At the most I do "ip route-cache flow" and "ip flow ingress" and it seems to do everything good for me, of course I'm mainly using NetQos right now (another product) due to problems I had with demo'ing NTM, but if NTM is working on your router I wouldn't expect to see doubling the traffic.

                      So, to answer your question "So if the router only sends a netflow packet once, then depending on the route that it takes out to the WAN...each WAN interface should only see the packet once, correct?".   The answer would be "yes", actually only one of the WAN interfaces should see the packet, not both.  One packet should not take two different interfaces!!    While you might see the same packet on both its inbound and outbound interfaces, if your only looking at one interface you should only see the traffic once.

                      As far as not seeing the correct QoS markings, try turning on Netflow on the destination router.  I bet the packets you marked on the source router are being seen correctly marked on the destination router.

                        • Re: Netflow showing wrong ToS/DSCP value
                          misoto

                          Below I will copy and paste one of my configs so you can review, as you will see...I am using the "ip flow ingress" & "ip flow egress" on both WAN multilink interfaces.  I do have Netflow configured on all of our routers but since we are on an MPLS any to any configuration, it makes it hard to look at the other end to see how packets are being mark coming in from the WAN, especially on the core 7613's. 

                           

                          Here is the config:


                          !
                          version 12.4
                          no service pad
                          service tcp-keepalives-in
                          service tcp-keepalives-out
                          service timestamps debug datetime msec localtime show-timezone
                          service timestamps log datetime msec localtime show-timezone
                          service password-encryption
                          service sequence-numbers
                          !
                          hostname usSANrt01
                          !
                          boot-start-marker
                          boot system flash:c3845-adventerprisek9-mz.124-9.T2.bin
                          boot-end-marker
                          !
                          card type t1 0 0
                          card type t1 0 1
                          card type t1 0 2
                          card type t1 0 3
                          card type t1 4 1
                          security authentication failure rate 3 log
                          security passwords min-length 6
                          logging buffered 16000 informational
                          logging console notifications
                          enable secret 5 $1$u9J4$SRBVXTeGdIOmofpEMdofQ/
                          !
                          aaa new-model
                          !
                          !
                          aaa group server tacacs+ CDAC
                           server 10.26.10.247
                           server 10.26.10.246
                          !
                          aaa group server tacacs+ NDAC
                           server 10.28.10.247
                           server 10.28.10.246
                          !
                          aaa authentication fail-message ^CCCCFailed login. Try again.^C
                          aaa authentication password-prompt "CiscoSecure Unavailable - Password: "
                          aaa authentication username-prompt "CiscoSecure Unavailable - UserName: "
                          aaa authentication login default group CDAC group NDAC local
                          aaa authentication login console local
                          aaa authentication enable default enable group CDAC group NDAC
                          aaa authorization console
                          aaa authorization exec default group CDAC group NDAC if-authenticated
                          aaa authorization network default group CDAC group NDAC if-authenticated
                          aaa accounting send stop-record authentication failure
                          aaa accounting exec default start-stop group CDAC group NDAC
                          aaa accounting commands 1 default start-stop group CDAC group NDAC
                          aaa accounting commands 15 default start-stop group CDAC group NDAC
                          aaa accounting system default start-stop group CDAC group NDAC
                          !
                          aaa session-id common
                          !
                          resource policy
                          !
                          network-clock-participate slot 4
                          no network-clock-participate wic 0
                          no network-clock-participate wic 1
                          no network-clock-participate wic 2
                          no network-clock-participate wic 3
                          network-clock-select 1 T1 4/0
                          no ip source-route
                          ip cef
                          ip tcp synwait-time 10
                          !
                          !
                          ip nbar custom TSM_TRAFFIC tcp 1500 1501
                          ip nbar custom CONNECTED_TRAFFIC tcp 16384
                          ip nbar custom VoIP_VMP_TO_VGMC udp range 5200 5263
                          ip nbar custom VoIP_SIGNAL_TO_SERVER udp 4100 7300
                          ip nbar custom VoIP_SIGNAL_TO_VGCM udp 5100 5000
                          ip nbar custom LIVE_MEETING_SRTP udp 3478
                          ip nbar custom LIVE_MEETING_VIDEO tcp 8057
                          ip nbar custom HDX_TCP_CALL_SETUP tcp range 3230 3253
                          ip nbar custom HDX_UDP_CALL_SETUP udp range 3230 3253
                          ip nbar custom OCS_1 udp 8576
                          ip nbar custom OCS_2 udp 20864
                          ip nbar custom OCS_3 udp 19584
                          ip nbar custom REMOTE_DESKTOP tcp 3389
                          ip nbar custom VMWARE_REMOTE tcp 902 904
                          !
                          !
                          no ip bootp server
                          ip domain name us.deloitte.com
                          ip name-server 10.26.10.80
                          ip name-server 10.28.10.80
                          ip multicast-routing
                          ip ssh time-out 60
                          ip ssh authentication-retries 2
                          !
                          !
                          isdn switch-type primary-qsig
                          voice-card 0
                           dspfarm
                          !
                          voice-card 4
                           dspfarm
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          !
                          username
                          !
                          !
                          controller T1 0/0/0
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/0/1
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/1/0
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/1/1
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/2/0
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/2/1
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/3/0
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 0/3/1
                           framing esf
                           linecode b8zs
                           channel-group 0 timeslots 1-24
                          !
                          controller T1 4/0
                           framing esf
                           linecode b8zs
                           pri-group timeslots 1-24 service mgcp
                           description Connection to Nortel PBX Q.SIG
                          !
                          controller T1 4/1
                           framing esf
                           linecode b8zs
                           pri-group timeslots 1-24 service mgcp
                           description Connection to Nortel PBX Q.SIG
                          !
                          class-map match-any INGRESS_TRANSACTIONAL_DATA
                           match protocol citrix
                           match protocol pcanywhere
                           match protocol novadigm
                           match protocol rcmd
                           match protocol sunrpc
                           match protocol dhcp
                           match protocol dns
                           match protocol ntp
                           match protocol irc
                           match protocol snmp
                           match protocol secure-telnet
                           match protocol kerberos
                           match protocol ssh
                           match protocol xwindows
                           match protocol http
                          class-map match-any EGRESS_BULK_DATA
                           match ip dscp af11  af12  af13
                          class-map match-any EGRESS_PRIORITY_DATA
                           match ip dscp af41  af42  af43
                          class-map match-any INGRESS_SCAVENGER_DATA
                           match protocol TSM_TRAFFIC
                           match protocol ftp
                           match protocol CONNECTED_TRAFFIC
                          class-map match-any EGRESS_MISSION_CRITICAL_DATA
                           match ip dscp cs3  af31  af32  af33
                          class-map match-any INGRESS_VoIP
                           match protocol VoIP_VMP_TO_VGMC
                           match protocol rtp audio
                          class-map match-any EGRESS_TRANSACTIONAL_DATA
                           match ip dscp af21  af22  af23
                          class-map match-any INGRESS_PRIORITY_DATA
                           match protocol LIVE_MEETING_SRTP
                           match protocol LIVE_MEETING_VIDEO
                           match protocol OCS_1
                           match protocol OCS_2
                           match protocol OCS_3
                           match protocol rtp video
                           match protocol netshow
                           match protocol streamwork
                           match protocol vdolive
                           match protocol mgcp
                           match protocol h323
                           match access-group name MULTICAST
                          class-map match-any INGRESS_BULK_DATA
                           match protocol exchange
                           match protocol pop3
                           match protocol secure-pop3
                           match protocol imap
                           match protocol secure-irc
                           match protocol notes
                           match protocol nntp
                           match protocol secure-nntp
                           match protocol secure-imap
                           match protocol nfs
                           match protocol netbios
                           match protocol secure-ftp
                           match protocol printer
                          class-map match-any EGRESS_SCAVENGER_DATA
                           match ip dscp cs1
                          class-map match-any INGRESS_MISSION_CRITICAL_DATA
                           match protocol skinny
                           match protocol sip
                           match protocol VoIP_SIGNAL_TO_SERVER
                           match protocol VoIP_SIGNAL_TO_VGCM
                           match protocol HDX_TCP_CALL_SETUP
                           match protocol HDX_UDP_CALL_SETUP
                           match protocol ldap
                           match protocol sqlnet
                           match protocol secure-ldap
                           match protocol smtp
                           match protocol sqlserver
                           match protocol http url "*.deloittenet.*"
                           match protocol cuseeme
                           match protocol syslog
                           match protocol REMOTE_DESKTOP
                           match protocol VMWARE_REMOTE
                           match protocol secure-http
                          class-map match-any EGRESS_VoIP
                           match ip dscp ef
                          !
                          !
                          policy-map EGRESS
                           class EGRESS_SCAVENGER_DATA
                            bandwidth remaining percent 1
                            random-detect
                           class EGRESS_VoIP
                            priority percent 20
                           class EGRESS_PRIORITY_DATA
                            bandwidth remaining percent 45
                           class EGRESS_MISSION_CRITICAL_DATA
                            bandwidth remaining percent 15
                           class EGRESS_TRANSACTIONAL_DATA
                            bandwidth remaining percent 10
                           class EGRESS_BULK_DATA
                            bandwidth remaining percent 6
                           class class-default
                            bandwidth remaining percent 3
                            random-detect
                          policy-map SHAPE_4xT1
                           class class-default
                            shape average 5836800 58368 0
                            service-policy EGRESS
                          policy-map INGRESS
                           class INGRESS_SCAVENGER_DATA
                            set dscp cs1
                           class INGRESS_VoIP
                            set dscp ef
                           class INGRESS_PRIORITY_DATA
                            set dscp af41
                           class INGRESS_MISSION_CRITICAL_DATA
                            set dscp af31
                           class INGRESS_TRANSACTIONAL_DATA
                            set dscp af21
                           class INGRESS_BULK_DATA
                            set dscp af11
                           class class-default
                          !
                          !
                          no crypto isakmp enable
                          !
                          !
                          !
                          !
                          !
                          interface Loopback0
                           description Management
                           ip address 10.5.110.205 255.255.255.255
                           ip rip advertise 90
                          !
                          interface Multilink1
                           description MPLS_SPRINT_CID:576726
                           ip address 172.20.1.174 255.255.255.252
                           ip nbar protocol-discovery
                           ip flow ingress
                           ip flow egress
                           ip pim sparse-mode
                           ppp multilink
                           ppp multilink group 1
                           service-policy output EGRESS
                          !
                          interface Multilink2
                           description MPLS_VERIZON_CID:BCBJN88R0001-0004
                           ip address 68.136.82.210 255.255.255.0
                           ip nbar protocol-discovery
                           ip flow ingress
                           ip flow egress
                           ip pim sparse-mode
                           ppp multilink
                           ppp multilink group 2
                           service-policy output EGRESS
                          !
                          interface GigabitEthernet0/0
                           description Local LAN
                           ip address 10.22.160.3 255.255.248.0
                           ip access-group 169 in
                           ip access-group 175 out
                           ip helper-address 10.26.10.81
                           ip helper-address 10.28.10.81
                           no ip proxy-arp
                           ip nbar protocol-discovery
                           ip rip advertise 90
                           duplex full
                           speed 100
                           media-type rj45
                           no mop enabled
                           service-policy input INGRESS
                          !
                          interface GigabitEthernet0/1
                           description SHUTDOWN
                           no ip address
                           no ip proxy-arp
                           shutdown
                           duplex auto
                           speed auto
                           media-type rj45
                          !
                          interface Serial0/0/0:0
                           description SPRINT_T1_CID:46122728
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 1
                          !
                          interface Serial0/0/1:0
                           description SPRINT_T1_CID:46122729
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 1
                          !
                          interface Serial0/1/0:0
                           description SPRINT_T1_CID:46122730
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 1
                          !
                          interface Serial0/1/1:0
                           description SPRINT_T1_CID:46122731
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 1
                          !
                          interface Serial0/2/0:0
                           description VERIZON_T1_CID:BCBJN88R0001
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 2
                          !
                          interface Serial0/2/1:0
                           description VERIZON_T1_CID:BCBJN88R0002
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 2
                          !
                          interface Serial0/3/0:0
                           description VERIZON_T1_CID:BCBJN88R0003
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 2
                          !
                          interface Serial0/3/1:0
                           description VERIZON_T1_CID:BCBJN88R0004
                           no ip address
                           encapsulation ppp
                           ppp multilink
                           ppp multilink group 2
                          !
                          interface Serial4/0:23
                           description Unity-VM-Serial-LINK
                           no ip address
                           encapsulation hdlc
                           isdn switch-type primary-qsig
                           isdn protocol-emulate network
                           isdn incoming-voice voice
                           isdn T310 120000
                           isdn bind-l3 ccm-manager
                           no cdp enable
                          !
                          interface Serial4/1:23
                           description Unity-VM-Serial-LINK
                           no ip address
                           encapsulation hdlc
                           isdn switch-type primary-qsig
                           isdn protocol-emulate network
                           isdn incoming-voice voice
                           isdn T310 120000
                           isdn bind-l3 ccm-manager
                           no cdp enable
                          !
                          router bgp 65205
                           bgp router-id 10.5.110.205
                           bgp log-neighbor-changes
                           bgp bestpath as-path multipath-relax
                           timers bgp 10 30
                           neighbor 68.136.82.209 remote-as 65000
                           neighbor 68.136.82.209 description VERIZON_PE
                           neighbor 68.136.82.209 version 4
                           neighbor 172.20.1.173 remote-as 1803
                           neighbor 172.20.1.173 description SPRINT_PE
                           neighbor 172.20.1.173 version 4
                           maximum-paths 2
                           !
                           address-family ipv4
                           neighbor 68.136.82.209 activate
                           neighbor 68.136.82.209 soft-reconfiguration inbound
                           neighbor 68.136.82.209 route-map FROM_VERIZON in
                           neighbor 68.136.82.209 route-map TO_VERIZON out
                           neighbor 172.20.1.173 activate
                           neighbor 172.20.1.173 soft-reconfiguration inbound
                           neighbor 172.20.1.173 route-map FROM_SPRINT in
                           neighbor 172.20.1.173 route-map TO_SPRINT out
                           maximum-paths 2
                           no auto-summary
                           no synchronization
                           bgp dampening 10 1500 3000 30
                           network 10.5.110.205 mask 255.255.255.255
                           network 10.22.160.0 mask 255.255.248.0
                           exit-address-family
                           !
                           address-family nsap
                           maximum-paths 2
                           no synchronization
                           exit-address-family
                          !
                          !
                          ip as-path access-list 121 permit _65121_
                          ip flow-export source Loopback0
                          ip flow-export version 5
                          ip flow-export destination 10.26.10.188 9090
                          ip flow-top-talkers
                           top 10
                           sort-by bytes
                          !
                          no ip http server
                          ip http authentication local
                          no ip http secure-server
                          ip http timeout-policy idle 600 life 86400 requests 10000
                          no ip pim dm-fallback
                          ip pim autorp listener
                          ip tacacs source-interface Loopback0
                          !
                          ip access-list extended MULTICAST
                           permit ip 10.0.0.0 0.255.255.255 239.255.0.0 0.0.127.255
                           permit ip 10.0.0.0 0.255.255.255 host 224.0.1.39
                           permit ip 10.0.0.0 0.255.255.255 host 224.0.1.40
                          !
                          !
                          ip prefix-list DEF_ROUTE description DEFAULT_ROUTE
                          ip prefix-list DEF_ROUTE seq 5 permit 0.0.0.0/0
                          !
                          ip prefix-list MPLS_SAN_DIEGO description SAN_DIEGO
                          ip prefix-list MPLS_SAN_DIEGO seq 5 permit 10.5.110.205/32
                          ip prefix-list MPLS_SAN_DIEGO seq 10 permit 10.22.160.0/21
                          ip sla responder
                          !

                          logging facility local6
                          logging source-interface Loopback0
                          logging 10.5.238.126
                          logging 10.26.10.197
                          access-list 2 permit 206.113.119.128 0.0.0.63
                          access-list 4 permit 199.11.1.51
                          access-list 10 permit 10.0.0.0 0.255.255.255
                          access-list 15 remark Permits to Hermitage Loopback0 / Ethernet / F\R PVC
                          access-list 15 permit 10.5.110.205
                          access-list 15 permit 10.22.160.0 0.0.7.255
                          access-list 15 permit 10.21.97.0 0.0.0.255
                          access-list 15 permit 10.21.245.16 0.0.0.3
                          access-list 15 permit 10.21.245.104 0.0.0.3
                          access-list 75 permit 10.22.4.125
                          access-list 75 permit 10.26.10.0 0.0.0.255
                          access-list 75 permit 10.28.10.0 0.0.0.255
                          access-list 75 permit 10.22.4.0 0.0.3.255
                          access-list 75 permit 10.5.224.0 0.0.0.255
                          access-list 75 deny   any log
                          access-list 76 permit 10.22.4.125
                          access-list 76 permit 10.26.10.0 0.0.0.255
                          access-list 76 permit 10.28.10.0 0.0.0.255
                          access-list 76 deny   any log
                          access-list 169 deny   ip 169.254.0.0 0.0.255.255 any
                          access-list 169 permit ip any any
                          snmp-server view rtt-view sysUpTime included
                          snmp-server view rtt-view ciscoPingMIB included
                          snmp-server view rtt-view ciscoRttMonMIB included
                          snmp-server community
                          snmp-server community
                          snmp-server community
                          snmp-server community
                          snmp-server community
                          snmp-server trap link ietf
                          snmp-server trap-source Loopback0
                          snmp-server packetsize 4096
                          no snmp-server sparse-tables
                          snmp-server location
                          snmp-server contact Brandon Phalan, 619-237-6691
                          snmp-server chassis-id
                          snmp-server system-shutdown
                          snmp-server enable traps tty
                          snmp-server enable traps envmon
                          snmp-server enable traps atm pvc fail-interval 30
                          snmp-server enable traps bgp
                          snmp-server enable traps config
                          snmp-server enable traps frame-relay multilink bundle-mismatch
                          snmp-server enable traps frame-relay
                          snmp-server enable traps frame-relay subif
                          snmp-server enable traps hsrp
                          snmp-server enable traps rtr
                          snmp-server enable traps syslog
                          snmp-server host 10.26.10.60 Daytona
                          snmp-server host 10.26.10.62 Daytona
                          snmp-server host 10.28.10.207 Daytona
                          snmp-server manager
                          !
                          !
                          !
                          route-map TO_VERIZON permit 10
                           match ip address prefix-list MPLS_SAN_DIEGO
                           set ip next-hop peer-address
                          !
                          route-map FROM_VERIZON permit 10
                           match ip address prefix-list DEF_ROUTE
                          !
                          route-map FROM_VERIZON permit 20
                           match ip address 10 2
                          !
                          route-map FROM_VERIZON permit 30
                           match as-path 121
                          !
                          route-map TO_SPRINT permit 10
                           match ip address prefix-list MPLS_SAN_DIEGO
                          !
                          route-map FROM_SPRINT permit 10
                           match ip address prefix-list DEF_ROUTE
                          !
                          route-map FROM_SPRINT permit 20
                           match ip address 10 4
                          !
                          route-map FROM_SPRINT permit 30
                           match as-path 121
                          !
                          !
                          !
                          tacacs-server host 10.26.10.247
                          tacacs-server host 10.26.10.246
                          tacacs-server host 10.28.10.247
                          tacacs-server host 10.28.10.246
                          tacacs-server timeout 2
                          tacacs-server directed-request
                          tacacs-server key 7
                          !
                          control-plane
                          !
                          !
                          !
                          voice-port 4/0:23
                          !
                          voice-port 4/1:23
                          !
                          ccm-manager switchback immediate
                          ccm-manager fallback-mgcp
                          ccm-manager redundant-host 10.28.8.81
                          ccm-manager mgcp
                          ccm-manager music-on-hold
                          !
                          mgcp
                          mgcp call-agent 10.28.8.82 service-type mgcp version 0.1
                          mgcp dtmf-relay voip codec all mode out-of-band
                          mgcp ip qos dscp cs3 signaling
                          mgcp bind control source-interface Loopback0
                          mgcp bind media source-interface Loopback0
                          !
                          mgcp profile default
                          !
                          !
                          !
                          !
                          !
                          !
                          banner login ^C

                           

                          *******************************************************************
                          *                             Warning!                            *
                          * By accessing and using this system you are consenting to system *
                          * monitoring for law enforcement and other purposes. Unauthorized *
                          *     use of this computer system may subject you to criminal     *
                          *                    prosecution and penalties.                   *
                          *******************************************************************

                           

                          ^C
                          alias exec i sho ip int brie
                          alias exec b sho ip bgp sum
                          alias exec in sho run | in
                          alias exec be sho run | be
                          privilege exec level 1 traceroute
                          privilege exec level 1 ping
                          !
                          line con 0
                           exec-timeout 5 0
                           password
                           logging synchronous
                           transport output telnet
                           stopbits 1
                          line aux 0
                           exec-timeout 5 0
                           password
                           logging synchronous
                           stopbits 1
                          line vty 0 4
                           exec-timeout 15 0
                           password
                           logging synchronous
                           transport preferred none
                           transport input ssh
                          !
                          scheduler allocate 20000 1000
                          ntp clock-period 17179744
                          ntp server 10.26.10.70
                          !
                          end

                            • Re: Netflow showing wrong ToS/DSCP value
                              Craig Norborg

                              Everything looks fairly straightforward and normal to me.   I don't use the ip flow egress at this point in time, but I'm not doing alot with MPLS either, so you might need it...

                              I would definitely try looking from the other end, I think your packets are getting marked properly and your just not seeing it because its on the same router.  Either that or mark them one step back, maybe on your core switches?