Best Practices for Cisco WAAS Reporting using NetFlow
Posted in NetFlow on October 11th, 2009 by mike@plixer.com
Reporting on traffic impacted by Cisco WAAS using NetFlow requires the use of egress flow in NetFlow v9. Consider the diagram below where the traffic going in on interface 1 should be compressed by WAAS before it leaves on Interface 3:
Run this WAAS Test
Using Scrutinizer NetFlow and sFlow Analyzer, a simple test to see if traffic is being compressed could involve a “Well Known Ports” report. Below we are looking at inbound traffic on the LAN interface (1) prior to compression:
Notice above that the total is 56.36 Mb going in on Interface 1. The total traffic leaving on interface 3 (after compression) is 32.89 Mb. Specifically if you look at HTTP above, you can see that the traffic volume for the same time period has been compressed. See below:
NetFlow v9 with Egress Flows
The above requires that the hardware support NetFlow v9 with Egress flows. If the hardware (e.g. Riverbed) only supports NetFlow v5, NetFlow reporting tools have to display outbound traffic using inbound flows. This ‘cheat’ is required in NetFlow v5 because flows are only collected when traffic comes in on an interface. Because of this, outbound traffic in a compression environment is overstated when using NetFlow v5.
The Flow Before and After
Here is a report I created using our powerful filtering interface. Notice I filtered on:
• IR2.plixer.com interface: 1
• IR2.plixer.com interface: 3
• Destination port: 35803
• Hosts: (src) 91.189.88.140 to (dst) 66.186.184.193
Below is the flow going out on interface 3 and notice that the total Mb has dropped from 9.17Mb to 5.08Mb. If I was exporting NetFlow v5, I would get the same value but, since we’re using NetFlow v9 with Egress, the compression for the individual flow becomes apparent:
A good NetFlow diagnostic tool or NetFlow collector reporting on compresed WAN connections should deliver on:
- Ability to get to the basics (e.g. top 10, 25, etc.)
- Ability to get to all the flows or the bottom X. Notice the Google like pagination in the reports above.
- Ability to use the mouse and drill in for details
- Support for a mixed environment of ingress and egress enabled Cisco and Adtran routers
- A good range of valuable reports including access to the raw flows
- Ability to watch for active time out issues and missing flow sequence numbers
- Flow analytics for Network Behavior Analysis
Thanks for reading. Make sure you try out our Free NetFlow Generator!
Michael PattersonScrutinizer Product Manager
Follow Me on Twitter
[...] To understand why egress flows are necessary with WAN optimization, you should read my blog on Best Practices for Cisco WAAS Reporting using NetFlow. In short, without egress flows NetFlow Analyzer software must use ingress flows to [...]
[...] are ingress and egress flow exports so important? You should read this blog on WAN optimization with Cisco WAAS. Michael Patterson Scrutinizer Product Manager Follow Me on Twitter Share and [...]
[...] are ingress and egress flow exports so important? You should read this blog on WAN optimization with Cisco WAAS. November 10th, 2009 in NetFlow, NetFlow Analyzer, Network Traffic Analysis | tags: Cisco WAAS, [...]
[...] ¿Por qué el flujo de entrada y salida exportaciones tan importante? Usted debe leer este blog en la optimización WAN de Cisco WAAS. [...]
[...] supports NetFlow and ideally, NetFlow v9 with egress flows. Why? Read this brief blog on Best Practices for Cisco WAAS Reporting using NetFlow. It applies to all vendors. Michael Patterson Scrutinizer Product Manager Follow Me on Twitter [...]