2 Replies Latest reply on Sep 25, 2010 2:45 PM by maheshmylar

    IPFIX for Layer4 and Layer7 proxies

      Hi,

      For statefull layer4 or layer7 proxy with content modification, we will be having 2 different TCP connections, one will be on the client side and other will be on the server side. Considering below IPFIX template:

       

      Field Type                     Field Type                Number Description

      IN_BYTES                          1                          Ingress bytes counter

      IN_PKTS                            2                          Ingress packets counter

      PROTOCOL                        4                          Layer 4 protocol

      L4_SRC_PORT                   7                          Source TCP/UDP port

      IPV4_SRC_ADDR               8                          Source IP address

      INPUT_SNMP                    10                         SNMP ingress interface index

      L4_DST_PORT                   11                         Destination TCP/UDP port

      IPV4_DST_ADDR                12                        Destination IP address

      OUTPUT_SNMP                  14                         SNMP egress interface index

       

      Considering src/dst ip addresses on client and sever side are different, we will be having two flow with ingress IEs (no biflow or post* IEs are added), will the SolarWinds Orion NetFlow Traffic Analyzer predefined reports work fine?

       

      Is there a plan to support layer4 and above proxies with IPFIX biflow records. Is there a plan to use post* IEs for report generation?

        • Re: IPFIX for Layer4 and Layer7 proxies
          chris.lapoint

          Have you ran into any specific issues with NTA displaying this data properly?   Based on the fields you listed above, there shouldn't be any problem reporting since the fields match our requirements (see here)

            • Re: IPFIX for Layer4 and Layer7 proxies

              Hi Chris,

              Thanks for replying. I have not yet started using NTA. My thinking is NTA will work fine with the template, but the reports will be wrong. Let me ask my question differently.

               

              If we have template/record as 

               

              Field Type                     Field Type                Number Description

              IN_BYTES                          1                          Ingress bytes counter

              IN_PKTS                            2                          Ingress packets counter

              PROTOCOL                        4                          Layer 4 protocol

              L4_SRC_PORT                   7                          Source TCP/UDP port

              IPV4_SRC_ADDR               8                          Source IP address

              INPUT_SNMP                    10                         SNMP ingress interface index

              L4_DST_PORT                   11                         Destination TCP/UDP port

              IPV4_DST_ADDR                12                        Destination IP address

              OUTPUT_SNMP                  14                         SNMP egress interface index

               

              This define only layer3 flow. i.e how IN_PKTS number of packets came through INPUT_SNMP interface and same is forwarded through OUTPUT_SNMP interface and this belongs specified port IP and port numbers. If i have another flow with same IP and port numbers but in reverse order, we have one TCP flow. If we do not want to see throughput of a dual flow single TCP connection. Aggregating a single flow is fine. 

              If we think of calculating throughput of a device, probably we need to add IN_BYTES as number of ingress bytes and same number of bytes are forwarded (egress), so throughput will be ingress + egress, we just need to multiply aggregated IN_BYTES by 2 times, right?

              If my understanding is correct, ingress and egress bytes will be true only for layer3 and layer2 devices. How will it work for layer4 and above devices?

               

              Regards,

              Mahesh