Working in technical support I get asked a lot, “I enabled NetFlow on my router, why don’t I see outbound traffic?” This is because NetFlow version 5 only supports ingress flow monitoring and they don’t have NetFlow enabled on all interfaces. In NetFlow v5 outbound traffic is calculated by the idea what goes in must go out (or stop at the router) so, it’s necessary that all interfaces are monitoring ingress traffic to get an accurate representation of outgoing traffic. So, if ingress monitoring has been working great all along why enable egress monitoring?

Egress Flow MonitoringThe best of NetFlow

Our Product Manager, Michael Patterson, has put together a great blog on Ingress or Egress NetFlow Analysis that helps answer this question. It’s also important to note that in order to monitor egress traffic you must use NetFlow version 9 or IPFIX. Not yet convinced NetFlow v9 is for you? Check out the McMonster analogy to see the benefits of NetFlow v9; mmm delicious NetFlow.

Enabling Ingress and Egress

Anyhow, back go our original topic.

Here are the commands to configure a Cisco router for both ingress and egress flows:

Router > enable
Router#: configure terminal
! send NetFlow off to the collector – Scrutinizer
Router(config)# ip flow-export destination 10.1.1.1
! lets send NetFlow off to a 2nd collector
Router(config)# ip flow-export destination 10.1.1.2
! You have to setup Flexible NetFlow to export to more than two destinations
! Lets export NetFlow v9 as NetFlow v5 doesn’t support egress NetFlows

Router(config)# ip flow-export version 9
! summarize and export long lived flows every minute
Router(config)# ip flow-cache timeout active 1
! export flows that are idle 15 seconds or more
Router(config)# ip flow-cache timeout inactive 15
! export the NetFlow data from the configured loopback interface.
Router(config)# ip flow-export source loopback 0
! lets go enable NetFlow on each interface we want NetFlow from
! lets configure the first interface

Router(config)# interface Ethernet 0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! change to a different interface
Router(config)# interface Ethernet 0/1
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! commit the above to memory if you want to keep the configuration

Need a NetFlow analysis tool? Scrutinizer 7.0 and greater have the ability to gather and report on NetFlow v9 and IPFIX flows.

Paul Dube

Paul Dube is the Director of Technical Services at Plixer. He has a passion for enabling individuals and organizations to use highly complex systems to solve business and personal objectives. This passion for problem solving has Paul working with some of the largest enterprises to solve their security and networking challenges and also educating his young daughters on how to enrich their lives with technology. When he's not working, you will find him enjoying time with his family, cooking something delicious on the Big Green Egg, and enjoying the best brews that the locals have to offer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply