Have you heard about exporting egress NetFlow? Do you want to know why it is different from ingress NetFlow or more importantly, when to implement it for network traffic monitoring? I’ll cover this topic in today’s blog.

What are Ingress Flows?
Most of us are exporting NetFlow v5 which only supports ingress NetFlow.  This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams.  What about traffic going out an interface? You guessed it, it isn’t monitored in NetFlow v5. Sounds kind of frustrating doesn’t it.  We’ll hold on. Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router.

determiningOutBoundUsingIngress

Lets say you only enable NetFlow on interfaces 1 and 2 of a three interface router.  Traffic coming in on interface 3 that is destined for interface 1 or 2 will be missing when the NetFlow Analyzer calculates outbound utilization on these interfaces.  In short, when using NetFlow v5 or v9 (ingress only flows) enable NetFlow on all interfaces as outbound utilization on any given interface is calculated by using ingress flows from the other interfaces. Pretty much all NetFlow reporting tools operate this way.

What about Egress?
NetFlow v9 supports ingress and egress NetFlow.  In most installations, ingress flows enabled on all the interfaces of the switch or router will deliver on the information most of us need.  Apparently there is some confusion on when and how to use Egress Flows.  Here are a few reasons:

  • In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed.  Using Ingress flows causes an over stated outbound utilization on the WAN interface.  Egress flows are calculated after compression.
  • In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams.  Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.
  • When exporting NetFlow on only one interface of the router or switch.  Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.

Hopefully the above helps answer the question: “why use egress NetFlow metering?”

Scrutinizer Kicks Butt at NetFlow Direction!
Scrutinizer looks for egress flows before calculating outbound utilization. If it finds egress flows for the interface, it will use them.  If it doesn’t find egress flows, it will calculate outbound utilization using ingress flows from the other interfaces. Pretty slick… if I do say so.

Notice below that Scrutinizer tells us if ingress, egress or both are enabled on an interface:

egressEnabledDeviceView

Watch out for Direction
We can determine Direction because NetFlow v9 exports a Direction field by default and it tells us if it is an ingress or egress flow. In Flexible NetFlow which is based on NetFlow v9, the Direction is not exported by default.  This is pointed out in our blog on egress NetFlow with NBAR.  Confused? Well, I won’t make it worse by digressing on the bidirectional flows exported by the Cisco ASA.  I’ll save that for another blog.  🙂

Michael

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

4 comments on “Best Practices in Egress NetFlow Reporting

  1. FYI: When setting up egress flows with Flexible NetFlow (FnF) make sure you match for the flow direction:
    match flow direction

    This tells the collector if the flow was collected ingress or egress. We don’t want Scrutinizer over stating utilization!

Comments are closed.