Thanks to one of our Flexible NetFlow (FnF) Engineers we were recently able to re-test NetFlow multicast support. Prior to FnF we saw problems with active timeout not being recognized when the router exported multicast flows.

We had our lab router configured to route multicast traffic by adding the following to the FnF record.

match routing is-multicast
collect routing multicast replication-factor
collect counter bytes replicated
collect counter packets replicated

The FnF record is:

flow record nbar-mon
match routing is-multicast
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match application name
collect datalink dot1q vlan input
collect datalink dot1q vlan output
collect datalink mac source address input
collect datalink mac source address output
collect datalink mac destination address input
collect datalink mac destination address output
collect routing destination as
collect routing multicast replication-factor
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp source-port
collect transport tcp destination-port
collect transport tcp flags
collect transport udp source-port
collect transport udp destination-port
collect interface output
collect counter bytes
collect counter packets
collect counter bytes replicated
collect counter packets replicated
collect timestamp sys-uptime first
collect timestamp sys-uptime last

Once we have the Flexible NetFlow configured, we need to generate traffic.

To generate multicast traffic, we used iperf . Once we had it installed, it was configured as follows:

iperf server was configred on my laptop. Command line below:

iperf -s -u -B 224.0.55.3 -i 1

iperf client on telemarketing machine. Using the following command line:

iperf -c 224.0.55.3 -u -T 32 -t 30000 -i 1

As you can see below, our NetFlow Reporting tool displays the different multicast destination addresses:

NetFlow Multicast Configured

But, what interfaces are the multicast above going out? Lets take a look:

 

Viewing NetFlow Multicast

Notice above that the egress interface is 0 on all of the flows.  Multicast flows collected ingress have a destination interface of null or 0. To export the interface the multicasts went out, we must export multicast egress NetFlows. This is explained in step four in the Network world configuring Flexible NetFlow blog.

int fastethernet 0/1
ip flow monitor nbar-mon multicast ingress
ip flow monitor nbar-mon multicast egress
ip flow monitor nbar-mon ingress

int int fastethernet 0/0/0
ip flow monitor nbar-mon ingress

Note to inquiring minds: Multicast support in Flexible Netflow (FnF) does not seem to suffer from the active timeout issue we saw with the standard NetFlow multicast configuration.

Pre FnF Multicast Exports
NetFlow v9 had support for NetFlow Multicast Accounting prior to FnF. I copied the text below from the Cisco web site.

<<< BEGIN >>>

Multicast Ingress and Multicast Egress Accounting
The NetFlow Multicast Support feature lets you select either multicast ingress accounting, in which a replication factor (equal to the number of output interfaces) indicates the load, or multicast egress accounting, in which all outgoing multicast streams are processed as separate streams, or both. This lets you collect information about how much data is leaving the interfaces of the router (egress and multicast ingress accounting) or how much multicast data is received (multicast ingress accounting).

On the ingress side, multicast packets are counted like unicast packets, but with two additional fields (for number of replicated packets and byte count). With multicast ingress accounting, the destination interface field will be set to null, and the IP next hop field is set to zero for multicast flows.

NetFlow Multicast Flow Records
Multicast ingress accounting creates one flow record that indicates how many times each packet is replicated. Multicast egress accounting creates a unique flow record for each outgoing interface.

<<< END >>>

  • Multicast NetFlow ingress  (1 flow with the replicated # of packets/bytes)
    Router(config-if)# ip multicast netflow ingress
  • Multicast NetFlow egress (1 flow per outgoing interface with the non replicated number of packets/bytes
    Router(config-if)# ip multicast netflow egress

Remember, we saw an active timeout with pre FnF NetFlow multicast exports (C2600-ENTBASEK9-mz.124-15.T10) where the active timeout was ignored and the flows were not exported until the multicast terminated. This resulted in big spikes in the graphs when trending 1 and 5 minute intervals depending on the duration of the multicast stream.

Summary
Now that you have NetFlow multicast configured, use the new Cisco Performance Monitoring NetFlow exports for Medianet.  These new Flexible NetFlow exports allow you to report on jitter, latency and packet loss.

If you have questions on setting this up or on reporting on the data, just comment below and I’ll post a reply.  You can also contact us.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply