Ingress flows enabled on all interfaces of a switch or router will deliver needed information, in most situations. If device only supports NetFlow v5, your flows should necessarily be configured in Ingress direction, because NetFlow v5 only supports Ingress flows. In addition, Ingress export provides monitoring of Blocked traffic (traffic sent to Interface Out 0).
Here are a few exceptions where using Egress Flows is suitable:
- Some devices (e.g. Cisco WAAS, Riverbed, etc.) have an option to compress flows, so you need to see traffic after it was compressed. Egress flows are calculated after compression.
- When multicast flows are sent, Ingress exported flows have a destination interface 0 because the router doesn’t know interface Out before processing. Egress exported flows deliver the destination interfaces and if the flow is headed for multiple interfaces it will be exported as multiple flows.
- When exporting NetFlow on only one interface of the router or switch.
When using only ingress flows, it is important to enable NetFlow data export on all interfaces, because outbound utilization on any given interface is calculated by using ingress flows from other interfaces.
See example at the figure below. If you have not enabled NetFlow on interface 2, flows going through that interface will be missed when calculating outbound utilization on interface 4.
You should configure interfaces on a single device to collect flows in only one direction (either Ingress or Egress), so that flows traveling from one host to another and vice versa are collected only once.
Continue reading on to Choosing Exporters.
In Flexible NetFlow, Input and Output do the same as Ingress and Egress in Traditional NetFlow.