Have you heard about exporting egress NetFlow? Do you want to know why it is different from ingress NetFlow or more importantly, when to implement it for network traffic monitoring? I’ll cover this topic in today’s blog. Read more »
Michael PattersonMost people collecting NetFlow use it in a very traditional fashion (i.e. NetFlow v5 with ingress flows). Ingress flow means that only inbound (i.e. received) traffic is collected and exported in NetFlow datagrams. This may sound like you won’t know what is going ‘out’ an interface, but have no fear. There is any easy way to calculate outbound traffic using ingress NetFlow.
Above, out bound utilization on interface 1 is determined by looking at the flows from interfaces 2,3 & 4 that are destined for interface 1. Since an ingress flow contains the source and destination interface (i.e. port of the router). Out bound traffic is determined by using ingress flows from the other interfaces. For this reason, it is important to enable NetFlow on all interfaces of the switch or router. This trick is common practice in all NetFlow reporting tools. But, what about NetFlow v9 and its support for ‘Egress’ NetFlow (i.e. traffic going out an interface)?
Apparently, many WAN Optimization companies price their appliances based on Flow Volume. What does Flow Volume mean? Flow Volume is the number of concurrent flows on a specific interface or all interfaces at any given time. For example, if you download a web page, this could create several flows. If you ping something, this would create a flow as well. In fact, syslogs, SNMP traps, etc. all create flows. TCP tends to create flows that linger longer than ICMP or UDP flows. Read more »
Michael PattersonScrutinizer v7.2 NetFlow and sFlow Analyzer has been released. A complete log on the updates is on our web site. The migration from v6.X to v7.2 is also done. Please contact plixer +1 (207) 324-8805 for assistance on the migration.
We are offering 2 webcasts to cover many of the new features for Network Traffic Analysis. Read more »
Michael PattersonReporting on traffic impacted by Cisco WAAS using NetFlow requires the use of egress flow in NetFlow v9. Consider the diagram below where the traffic going in on interface 1 should be compressed by WAAS before it leaves on Interface 3:
I just received an email from someone in Europe asking a question that I thought Riverbed and Scrutinizer NetFlow customers might be interested in.
QUESTION: I’ve just read the message you posted a few months ago concerning an overstating problem with the NetFlow feature on a Riverbed appliance. I’m currently working with NetFlow data sent by a Riverbed appliance, and I think that I have to deal with the same problem you encountered. What do I do?
ANSWER: Yes, overstating utilization with the Riverbed gear is a problem using Cisco NetFlow v5 because outbound utilization is calculated using inbound traffic from the other interfaces. Because of this, compression that occurs is not considered and overstated utilization is the result.
I have escalated this issue to Riverbed and pointed out that the solution is to export Cisco NetFlow v9 with Egress flows. NetFlow v5 only supports ingress flows. Although with the right configuration, Scrutinizer v6 supports Cisco NetFlow v9 with egress flows, we have made enhancements in Scrutinizer v7. I have not heard anything from Riverbed regarding this issue and the need to support NetFlow v9, like the Cisco WAAS solution. I think we can be confident that that a company like Riverbed that is supporting some of the largest networks in the world must be thinking about NetFlow v9 with egress support.
NOTE: I believe Riverbed has a proprietary solution to this problem that you can buy. If you contact Riverbed and they share with you their plans, can you please let me know?
Michael PattersonI’ve been working with some customers over the last few months and it seems that in some configurations with Riverbed gear, determining outbound utilization via ingress traffic from other interfaces is overstating actual utilization. Has anyone else run into this?
We have a solution but, thought I’d put this comment out there. Basically, NetFlow v9 with Egress becomes important.
Michael Patterson
