Reporting on traffic impacted by Cisco WAAS using NetFlow requires the use of egress flow in NetFlow v9. Consider the diagram below where the traffic going in on interface 1 should be compressed by WAAS before it leaves on Interface 3:
Run this WAAS Test
Using Scrutinizer NetFlow and sFlow Analyzer, a simple test to see if traffic is being compressed could involve a “Well Known Ports” report. Below we are looking at inbound traffic on the LAN interface (1) prior to compression:
Notice above that the total is 56.36 Mb going in on Interface 1. The total traffic leaving on interface 3 (after compression) is 32.89 Mb. Specifically if you look at HTTP above, you can see that the traffic volume for the same time period has been compressed. See below:
NetFlow v9 with Egress Flows
The above requires that the hardware support NetFlow v9 with Egress flows. If the hardware (e.g. Riverbed) only supports NetFlow v5, NetFlow reporting tools have to display outbound traffic using inbound flows. This ‘cheat’ is required in NetFlow v5 because flows are only collected when traffic comes in on an interface. Because of this, outbound traffic in a compression environment is overstated when using NetFlow v5.
The Flow Before and After
Here is a report I created using our powerful filtering interface. Notice I filtered on:
• IR2.plixer.com interface: 1
• IR2.plixer.com interface: 3
• Destination port: 35803
• Hosts: (src) 220.127.116.11 to (dst) 18.104.22.168
Below is the flow going out on interface 3 and notice that the total Mb has dropped from 9.17Mb to 5.08Mb. If I was exporting NetFlow v5, I would get the same value but, since we’re using NetFlow v9 with Egress, the compression for the individual flow becomes apparent:
A good NetFlow diagnostic tool or NetFlow collector reporting on compresed WAN connections should deliver on:
- Ability to get to the basics (e.g. top 10, 25, etc.)
- Ability to get to all the flows or the bottom X. Notice the Google like pagination in the reports above.
- Ability to use the mouse and drill in for details
- Support for a mixed environment of ingress and egress enabled Cisco and Adtran routers
- A good range of valuable reports including access to the raw flows
- Ability to watch for active time out issues and missing flow sequence numbers
- Flow analytics for Network Behavior Analysis
Thanks for reading. Make sure you try out our Free NetFlow Generator!