The following explains in which situations is better to use incoming (in/Ingress) or outgoing (out/Egress) flow on the interface for collecting NetFlow traffic.
Incorrect NetFlow Export
On the figure above you can see that interfaces Gi1/1 and Gi1/2 are set to collect NetFlow traffic, Gi1/1 in IN direction and Gi1/2 in OUT direction. This example shows that a flow traveling from Host A to Host B will be collected and exported twice to NetFlow server, while a flow traveling from Host B to Host A will not be matched and exported. The result is a false NetFlow traffic: double amount of flows for A to B direction, and zero flows for B to A direction.
It is very important that all interfaces on a single device are configured to collect flow in only one direction, IN or OUT. |
Correct NetFlow Export
Here, both interface Gi1/1 and interface Gi1/2 are set to collect the NetFlow traffic in IN direction. This time, a flow traveling from Host A to Host B will be collected only once, and a flow traveling from Host B to Host A will be collected as well. Now, NetFlow traffic will be correct and none of the charts in TopN > Exporters will have duplicated data.
Ingress or Egress?
When considering to configure Ingress or Egress flow on an exporter device, you must be aware that it depends on software version and supervisor module (if existing). For this information, please check release notes of your device vendor. |
Ingress export enabled on all the interfaces of a device will in general deliver all necessary information. It is specially recommended in the following situations:
Egress should be considered in these situations:
When multicast flows are sent, Ingress exported flows have a destination interface 0 because the router doesn’t know interface Out before processing. Egress exported flows deliver the destination interfaces, and in addition if the flow is headed for multiple interfaces it will be exported as multiple flows.
Continue reading on to Choosing Exporters.