If you checked your routers NetFlow configs, you’ll most likely find that you’re exporting NetFlow v5 templates. If you’re not sure, do a show run | i ip flow and look for:
ip flow-export version 5
With NetFlow v5, all your traffic is measured based on the ingress of an interface. What goes in, must come out, right?
This is not always the case…
With the introduction of compression and optimization technologies, such as WAAS, the traffic is changing beyond the ingress interface.
Imagine you are monitoring flows using ip flow ingress and you see a conversation that passed 2.4mb. Now even though that traffic was 2.4mb on the inbound, once compressed, that same conversation could be 1.2mb by the time it leaves that router’s outbound interface. This is where the importance of monitoring the egress with NetFlow v9 comes in.
Using ip flow egress may give you a more accurate representation of your data as opposed to using ip flow ingress.
(I can already hear you opening your telnet session to your router…)
To make the change, just change your NetFlow export type :
- ip flow-export version 9
After modifying the global config, be sure to enable egress monitoring on each interface by adding:
- ip flow egress