What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

What are the right NetFlow settings? Ingress vs. Egress

Votes:

0

How should I be using the IP FLOW INGRESS & IP FLOW EGRESS commands or should I just use IP route-cache flow ?

I guess I'm not sure what the difference is, it seems at all my routers have all 3 commands.

egress ingress netflow xflow

Created on Jun 3, 2011 6:42:58 AM by Aurelio Lombardi [Paessler Support]

Last change on Sep 19, 2011 9:13:02 AM by Daniel Zobel [Product Manager]



2 Replies

Accepted Answer

Votes:

0

If you are interested in monitoring flows on a physical interface, you would use ip route-cache flow. By enabling ip route-cache flow on the physical interface, it will in turn enable flows on all subsequent sub-interfaces.

But let’s say that you are not interested in seeing flows on sub-interfaces x,y and z; but you do want to see flows on subs a, b and c, from that same interface. This is where the command comes into use.

So, as a quick summary:

ip route-cache flow will enable flows on the physical interface and all sub-interfaces associated with it.

ip flow ingress will enable flows on individual sub-interfaces, as opposed to all of them on the same interface.

NOTE: Egress is only available in Cisco NetFlow v9 and not NetFlow v5.

Ingress vs. Egress Differences

NetFlow v9 Ingress is collected on traffic going into (i.e. inBound) an interface. This is how NetFlow v5 collects data. To figure out outBound traffic volume, ingress must be collected on all interfaces and the reporting software then displays outbound traffic. What goes in must go out, right? Ya, usually.

NetFlow v9 Egress is collected on traffic going out (i.e. outBound) of an interface. Generally, it is used in combination with Ingress, but it doesn’t have to be.

NetFlow v9 supports ingress and egress NetFlow. In most installations, ingress flows enabled on all the interfaces of the switch or router will deliver on the information we need. Here are a few reasons to use Egress Flows:

In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed. Using Ingress flows causes an over stated outbound utilization on the WAN interface. Egress flows are calculated after compression.

In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams. Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.

When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.

See Also

Created on Jun 3, 2011 6:52:46 AM by Aurelio Lombardi [Paessler Support]

Last change on Sep 23, 2015 12:53:42 PM by Gerald Schoch [Paessler Support]



Votes:

0

When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.

If this is implemented on a single router interface using NetFlow v9, and SNMP is also implemented on the same interface to monitor in and out traffic, should the total traffic for each sensor be equal?

Created on Jun 3, 2011 10:22:20 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.