If you checked your routers NetFlow configs, you’ll most likely find that you’re exporting NetFlow v5 templates. If you’re not sure, do a show run | i ip flow and look for:

ip flow-export version 5

With NetFlow v5, all your traffic is measured based on the ingress of an interface. What goes in, must come out, right?

This is not always the case…

With the introduction of compression and optimization technologies, such as WAAS, the traffic is changing beyond the ingress interface.

For example:

Imagine you are monitoring flows using ip flow ingress and you see a conversation that passed 2.4mb. Now even though that traffic was 2.4mb on the inbound, once compressed, that same conversation could be 1.2mb by the time it leaves that router’s outbound interface. This is where the importance of monitoring the egress with NetFlow v9 comes in.

Using ip flow egress may give you a more accurate representation of your data as opposed to using ip flow ingress.

(I can already hear you opening your telnet session to your router…)

To make the change, just change your NetFlow export type :

  • ip flow-export version 9

After modifying the global config, be sure to enable egress monitoring on each interface by adding:

  • ip flow egress


Ryan Slosser author pic

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply