Have you heard about exporting egress NetFlow? Do you want to know why it is different from ingress NetFlow or more importantly, when to implement it for network traffic monitoring? I’ll cover this topic in today’s blog.
What are Ingress Flows?
Most of us are exporting NetFlow v5 which only supports ingress NetFlow. This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams. What about traffic going out an interface? You guessed it, it isn’t monitored in NetFlow v5. Sounds kind of frustrating doesn’t it. We’ll hold on. Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router.
Lets say you only enable NetFlow on interfaces 1 and 2 of a three interface router. Traffic coming in on interface 3 that is destined for interface 1 or 2 will be missing when the NetFlow Analyzer calculates outbound utilization on these interfaces. In short, when using NetFlow v5 or v9 (ingress only flows) enable NetFlow on all interfaces as outbound utilization on any given interface is calculated by using ingress flows from the other interfaces. Pretty much all NetFlow reporting tools operate this way.
What about Egress?
NetFlow v9 supports ingress and egress NetFlow. In most installations, ingress flows enabled on all the interfaces of the switch or router will deliver on the information most of us need. Apparently there is some confusion on when and how to use Egress Flows. Here are a few reasons:
- In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed. Using Ingress flows causes an over stated outbound utilization on the WAN interface. Egress flows are calculated after compression.
- In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams. Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.
- When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.
Hopefully the above helps answer the question: “why use egress NetFlow metering?”
Scrutinizer Kicks Butt at NetFlow Direction!
Scrutinizer looks for egress flows before calculating outbound utilization. If it finds egress flows for the interface, it will use them. If it doesn’t find egress flows, it will calculate outbound utilization using ingress flows from the other interfaces. Pretty slick… if I do say so.
Notice below that Scrutinizer tells us if ingress, egress or both are enabled on an interface:
Watch out for Direction
We can determine Direction because NetFlow v9 exports a Direction field by default and it tells us if it is an ingress or egress flow. In Flexible NetFlow which is based on NetFlow v9, the Direction is not exported by default. This is pointed out in our blog on egress NetFlow with NBAR. Confused? Well, I won’t make it worse by digressing on the bidirectional flows exported by the Cisco ASA. I’ll save that for another blog. 🙂