Reporting on traffic impacted by Cisco WAAS using NetFlow requires the use of egress flow in NetFlow v9. Consider the diagram below where the traffic going in on interface 1 should be compressed by WAAS before it leaves on Interface 3:

waasDiagram

Run this WAAS Test

Using Scrutinizer NetFlow and sFlow Analyzer, a simple test to see if traffic is being compressed could involve a “Well Known Ports” report.  Below we are looking at inbound traffic on the LAN interface (1) prior to compression:

inboundWaas

Notice above that the total is 56.36 Mb going in on Interface 1.  The total traffic leaving on interface 3 (after compression) is 32.89 Mb. Specifically if you look at HTTP above, you can see that the traffic volume for the same time period has been compressed.  See below:

outBoundWaas
NetFlow v9 with Egress Flows
The above requires that the hardware support NetFlow v9 with Egress flows. If the hardware (e.g. Riverbed) only supports NetFlow v5, NetFlow reporting tools have to display outbound traffic using inbound flows.  This ‘cheat’ is required in NetFlow v5 because flows are only collected when traffic comes in on an interface.  Because of this, outbound traffic in a compression environment is overstated when using NetFlow v5.

The Flow Before and After
Here is a report I created using our powerful filtering interface.  Notice I filtered on:
• IR2.plixer.com interface: 1
• IR2.plixer.com interface: 3
• Destination port: 35803
• Hosts: (src) 91.189.88.140 to (dst) 66.186.184.193

waasConnection
Below is the flow going out on interface 3 and notice that the total Mb has dropped from 9.17Mb to 5.08Mb.  If I was exporting NetFlow v5, I would get the same value but, since we’re using NetFlow v9 with Egress, the compression for the individual flow becomes apparent:

waasConnection2

A good NetFlow diagnostic tool or NetFlow collector reporting on compresed WAN connections should deliver on:

  • Ability to get to the basics (e.g. top 10, 25, etc.)
  • Ability to get to all the flows or the bottom X.  Notice the Google like pagination in the reports above.
  • Ability to use the mouse and drill in for details
  • Support for a mixed environment of ingress and egress enabled Cisco and Adtran routers
  • A good range of valuable reports including access to the raw flows
  • Ability to watch for active time out issues and missing flow sequence numbers
  • Flow analytics for Network Behavior Analysis

Thanks for reading.  Make sure you try out our Free NetFlow Generator!

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply

Your email address will not be published.