Friday, September 21, 2012

NetFlow Configurations

Subject: NetFlow Configurations
From: Webb, Rob
To: TEAM - SABU - NETQOS - TECHNOLOGY
Date Sent: 10/4/2011 10:59:48 AM
I recently answered a question about whats the best way to configured flow data on a router.  Here is what I’ve found through my experience.  Thought I’d share with the entire team:
There are several options for configuring NetFlow:
1)      Ingress only (default):  this must be applied to ALL active L-3 interfaces in order to properly calculate the outbound on any give interface.  This is because netflow is being collected inbound to the router and in order to calculate the outbound all traffic destined out a particular interface is associated with the outbound metric for that interface.  The limitation is when you have a router marking QoS, the marking occurs after the NetFlow is calculated.  Works with v5 or v9
2)      Egress only:  works the same as Ingress but in the opposite direction.  The advantage is now the NetFlow is being calculated after the QoS marking…and therefore you will see how the traffic is marked as it leaves a given router.  Again, ALL active L-3 interfaces need to have this configured in order to provide accurate inbound measurements. Works with v5 or v9
3)      Ingress & Egress:  This works with NetFlow v9 (IOS 12.4 and newer).  Yes, there is an increase in flow data, however now only the interface(s) of interest need the flow commands.  If flow data is collected at multiple points (i.e. inbound on one interface and again as outbound on another) the v9 flows contain a marker that identifies the interface and direction.  RA is intelligent enough to only count the most relevant data not eliminate double counting of this traffic.  Works with v9 only.
In summary:
Ingress = on all active L-3 interfaces / not good if marking (QoS) in the same router as reporting
Egress = on all active L-3 interfaces / good if marking (QoS) in the same router as reporting
Ingress/Egress = best option, only configured on interfaces of interest
Do not mix and match.  Pick one and stick with it on any given router!
_________________________________________________________________________
ca  Technologies | Rob Webb | Senior Principal Consultant, NA Solutions Architecture Group | 412-916-8023 | rob.webb@ca.com

One additional point I'd like to add is that RA will double count flows if ingress AND egress is enabled on the LAN and WAN interfaces AND using NetFlow version 5.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)