I’m doing some more work lately with Wireshark and Scrutinizer v7. I thought that the topic of egress vs. ingress might be interesting to some readers.  NOTE: Egress is only available in Cisco NetFlow v9 and not NetFlow v5.

IPFIX or NetFlow v9?
In theory, ingress and egress should work the same in IPFIX, which is based on NetFlow v9, but they are certainly different. Although they are very similar, don’t let any company tell you they are exactly the same. Many collectors that work with NetFlow v9 will puke when they receive IPFIX. Scrutinizer handles both with ease. Nortel supports IPFIX, as does/did Avici, which is now Soapstone Networks, Inc. Other vendors, such as Adtran and Enterasys, support NetFlow v9.

One annoying area where IPFIX and NetFlow v9 differ is in the labeling of fields: NetFlow v9 has ‘IN_BYTES’ and IPFIX labels the same field ‘octetDeltaCount’.  IPFIX probably renamed it because when talking about egress flows, IN_BYTES is sort of misleading.

Ingress vs. egress differences
NetFlow v9 Ingress is collected on traffic going into (i.e. inBound) an interface.  This is how NetFlow v5 collects data. To figure out outBound traffic volume, ingress must be collected on all interfaces and the reporting software then displays outbound traffic. What goes in must go out, right?  Ya, usually.

NetFlow v9 Egress is collected on traffic going out (i.e. outBound) of an interface.  Generally, it is used in combination with Ingress, but it doesn’t have to be. I’ll dive into this a bit more.

Why collect with egress?
Why collect with egress, if ingress worked so well with NetFlow v5? Because hardware such as WAN optimizers compress data.  Traffic compression with Cisco NetFlow means that what comes in 100 bytes might go out as 50 bytes. If only using ingress flows, the NetFlow reporting software will show 100 bytes outbound, even if it was compressed to 50 bytes. GASP!!! This is because it was calculated using ingress flows.

Tell me the truth!
If the router is exporting both ingress and egress and the NetFlow monitor can report on both without overstating utilization, you can see how much of each flow is being compressed. It’s pretty slick, but it requires that the NetFlow collector understand what is known as the flow “Direction”. If the field in the NetFlow v9 packet is a 0, then it is an ingress collected flow.  If the field is a 1, then it is an egress collected flow.

Ingress Flow with IPv6 (the same with IPv4)

Egress Flow with IPv6 (the same with IPv4)

The network traffic reports produced by the NetFlow analyzer need to be intelligent when dealing with ingress and egress flows. I feel that dynamically figuring out flow direction in mixed NetFlow v9 ingress egress environments is crucial, especially if the customer has hundreds of routers. If you are just setting up ingress, I would keep this blog in mind: “ip route-cache flow or ip flow ingress… Which do I use?”

Something else to think about
NetFlow traffic analysis is going to be taken to another level as Flexible NetFlow matures. Perhaps we’ll see it take advantage of what NetFlow v9 calls ‘OUT_BYTES’. (IPFIX, needing to be different, calls this same field ‘postOctetDeltaCount’.)

Now you might ask: how is it related to ingress or egress?  Stay tuned…

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

I’m working with a customer’s Cisco ASA device and we are exporting NetFlow v9 to Scrutinizer to do some Cisco NetFlow traffic analysis. Fun stuff, but NetFlow Security Event Logging or NetFlow Event Logs (NELs) isn’t just about traffic in and out of an interface. Some of the exports are more like syslogs. Up to 18 messages can be placed into a single NetFlow v9 packet.

Interested in trying it?

For those of you interested in ASA netflow I believe it is offered standard  on any code revision with the ASA 5580 series, on any lower numbered ASA models you will need ASA 8.2.x code to enable the feature.  Someone please tell me if this is incorrect.

Wireshark didn’t decode it
Hopefully someone at Cisco is working on the decodes for Wireshark.

Maybe I’ll bring it up at Wireshark Sharkfest in Palo Alto, Calif. next month! Yeeee HAAAAAA. I hope to see some of you there.

This isn’t your typical NetFlow
Three event types can trigger a NetFlow record.
* flow-create
* flow-denied
* flow-teardown

Of course a NetFlow collector IP address has to be entered into the ASA appliance, along with a a few other commands, for it to send flow records. Use the Modular Policy Framework to customize the details of NetFlow functionality.

Enabling NetFlow on the ASA

You will also need to define a Service policy pointing the flow data to the analyzer server. The below assumes your ASA is still using the default global policy.

policy-map global_policy
class class-default
flow-export event-type all destination x.x.x.x

The above is CLI, but NetFlow can be configured in the Cisco ASDM GUI by clicking:

• Configuration-Firewall->Service Policy Rules.
• Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.

Cisco ASA NetFlow commands for specific Events
Example: Log Flow Creation events between hosts 10.1.1.1 and 10.2.2.2
The Internal NetFlow Collector server is 192.168.100.1

ASA (config)#  flow-export destination inside 192.168.100.1 2055
ASA (config)# flow template timeout-rate 1
ASA (config)# access-list flow_export_acl permit ip host 10.1.1.1 host 10.2.2.2
ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl
ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination 192.168.100.1

Configuring NetFlow

This page was very helpful to determine the above configuration commands for NetFlow on the ASA 5580 using ASDM.

Displaying the NetFlow

Navigate to the graphical trends as shown below in the Status tab of Scrutinizer v7.

 

 

 

Limitation in v7

• Displays data in 1 minute intervals only as roll ups were not completed in time for the release.  Up to 5 hours in 1 minute intervals can be displayed by using the ‘Auto’ interval option.
• Interfaces do not show up in the Status tab. You must navigate to the templates as outlined above.
• This is fixed in the next release.

On a personal note:  check out these electric mini bikes “Razor MX 650″ on YouTube.com that I picked up for my daughters.

Think Green beyond the network. 

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter