Now that everyone has dipped their feet into the NetFlow Collector waters and gotten comfortable, it’s time to shake things up and introduce some more NetFlow config goodness.

Due the rise of multimedia multicast application usage and bandwidth consumption it’s becoming more and more important to monitor these links and traffic types.

But did you know that if you are running with NetFlow v5, not all of your multicast traffic is being counted?

With v5, the router does not count the amount of times that the one multicast packet may have been replicated. Nor does it log the unique outbound IP after replication, since v5 does not support egress monitoring.

As a result, you will be missing a lot of your multicast traffic.

To solve this, we need to use NetFlow v9 and its ingress and egress monitoring capabilities.

First, you need to enable the routers to support multicast traffic.

Once that has been enabled, there are two configurations that enable flow monitoring for multicast patterns:

ip multicast netflow output-counters
ip multicast netflow rpf-failure

The first command ip multicast netflow output-counters will account for the number of bytes and multicast packets forwarded.

The second command ip multicast netflow rpf-failure will also keep track of the multicast packets that failed the RPF check.

After enabling those commands, you can then specify which interfaces you wish to do multicast accounting for by choosing either:

ip multicast netflow ingress
ip multicast netflow egress

What is the difference?

Ip multicast netflow ingress accounting will create one flow record that will count how many times each packet has been replicated.

Ip multicast netflow egress will create a new flow record for each outgoing interface.

Just as a warning though, if you generate a lot of multicast traffic, using the egress command can produce larger amounts of flow records, as opposed to monitoring on the ingress.

I hope that helps you all with your NetFlow endeavors!

-Nate

Tags: Ip multicast netflow egress, Ip multicast netflow ingress accounting, ip multicast netflow output-counters, ip multicast netflow rpf-failure, multicast, NetFlow Collector, traffic types, v5, v9

This entry was posted on Friday, August 28th, 2009 at 7:48 am and is filed under NetFlow, Network Traffic Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.