ip route-cache flow or ip flow ingress… Which do I use?
Posted in General on January 23rd, 2009 by nathanh
If you’ve ever configured a router for NetFlow, you may have had to work with either, or both, of these commands.
When configuring NetFlow on your router, you have two sets of configurations to setup. First, being your global commands that define which version of NetFlow is being used, where the flows will be exported, and on what port.
After configuring the global commands, however, you also need to configure the interfaces that will be using NetFlow. To enable flows on an interface, you have two commands that are very similar in nature, but used in different circumstances.
For more information regarding NetFlow configurations, check out this Activating NetFlow Guide.
So, back to the original question: “Do I use ip route-cache flow or ip flow ingress?”
Deciding which interfaces you want to monitor will answer this question.
If you are interested in monitoring flows on a physical interface, you would use ip route-cache flow. By enabling ip route-cache flow on the physical interface, it will in turn enable flows on all subsequent sub-interfaces.
But let’s say that you are not interested in seeing flows on sub-interfaces x,y and z; but you do want to see flows on subs a, b and c, from that same interface. This is where the command comes into use.
So as a quick summary:
ip route-cache flow will enable flows on the physical interface and all sub-interfaces associated with it.
ip flow ingress will enable flows on individual sub-interfaces, as opposed to all of them on the same interface.
Cisco’s article on Netflow and subinterface support offers a wealth of information on this subject.
**NOTE** With NetFlow v5, we only had the option to monitor inbound statistics using the ip flow ingress command. However, with the release of NetFlow v9, we now have the option to monitor traffic leaving each interface via ip flow egress. Check out this blog which tackles the question: Which one is better to use? Ingress or Egress?
-Nate
Which is appropriate for VLAN interfaces? Or does it make any sense to even configure NetFlow on a VLAN as opposed to a physical?
Same question(s) for PortChannel Interfaces?
Thanks.
According to CISCO, you should be able to put IP ROUTE-CACHE FLOW on the physical interface where the VLANS are carved out from, and that should enable netflow on the subsequent interfaces. But to be sure the job gets done, I enable ip flow ingress on the VLANS instead.
[...] has hundreds of routers. If you are just setting up ingress, I would keep this blog in mind: “ip route-cache flow or ip flow ingress… Which do I [...]
[...] We reviewed his Cisco router configuration and it looked good at first. He had the export destination, version, and timeout entries. He also had the IP flow ingress command on all of his interfaces. This router does not accept the ip route-cache flow command, only the ip flow ingress . [...]
[...] you are monitoring flows using ip flow ingress and you see a conversation that passed 2.4mb. Now even though that traffic was 2.4mb on the [...]