The following explains in which situations is better to use incoming (in/Ingress) or outgoing (out/Egress) flow on the interface for collecting NetFlow traffic. 

Incorrect NetFlow Export

NetVizura NetFlow Incorrect Export

On the figure above you can see that interfaces Gi1/1 and Gi1/2 are set to collect NetFlow traffic, Gi1/1 in IN direction and Gi1/2 in OUT direction. This example shows that a flow traveling from Host A to Host B will be collected and exported twice to NetFlow server, while a flow traveling from Host B to Host A will not be matched and exported. The result is a false NetFlow traffic: double amount of flows for A to B direction, and zero flows for B to A direction. 

It is very important that all interfaces on a single device are configured to collect flow in only one direction, IN or OUT.

Correct NetFlow Export

NetVizura NetFlow Correct Export

Here, both interface Gi1/1 and interface Gi1/2 are set to collect the NetFlow traffic in IN direction. This time, a flow traveling from Host A to Host B will be collected only once, and a flow traveling from Host B to Host A will be collected as well. Now, NetFlow traffic will be correct and none of the charts in TopN > Exporters will have duplicated data.


Ingress or Egress?

When considering to configure Ingress or Egress flow on an exporter device, you must be aware that it depends on software version and supervisor module (if existing). For this information, please check release notes of your device vendor.

Ingress export enabled on all the interfaces of a device will in general deliver all necessary information. It is specially recommended in the following situations:

  1. NetFlow v9 supports Ingress and Egress, but NetFlow v5 only supports Ingress flows. If your device is only supported by NetFlow v5, your flows should necessarily be Ingress. 
  2. In addition, Ingress export provides monitoring of Blocked traffic (traffic sent to Interface Out 0).

Egress should be considered in these situations:

  1. Some routers (e.g. Cisco WAAS, Riverbed, etc.) have option to compress flows, so the Out traffic will be significantly larger than In traffic. Egress export provides more precise information on traffic transferred in the network.

  2. When multicast flows are sent, Ingress exported flows have a destination interface 0 because the router doesn’t know interface Out before processing. Egress exported flows deliver the destination interfaces, and in addition if the flow is headed for multiple interfaces it will be exported as multiple flows.

Continue reading on to Choosing Exporters.

 

  • No labels