tips:ingress-egress-netflow
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
tips:ingress-egress-netflow [2020/11/27 13:07] – created veera | tips:ingress-egress-netflow [2020/11/27 16:05] (current) – [Enabling Ingress and Egress Netflow - issues and valid use cases] veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | A packet belonging to a IP flow | + | A packet belonging to a IP flow enters a device at an ingress interface and exits through an egress interface. |
- | Netflow has historically been an ingress only technology. | + | |
+ | |||
+ | Netflow has historically been an ingress only technology. | ||
+ | |||
+ | < | ||
+ | |||
+ | ===== Enabling both ingress and egress can result in inconsistent data ===== | ||
+ | |||
+ | Enabling both ingress and egress netflow using on Cisco | ||
+ | '' | ||
+ | ip flow ingress | ||
+ | ip flow egress | ||
+ | '' | ||
+ | |||
+ | will result in a netflow record being generated once at the ingress interface and once again at the egress interface. As noted earlier, | ||
+ | |||
+ | ==== Example : Ingress and Egress enabled on both downstream and upstream interfaces==== | ||
+ | |||
+ | The following diagram shows both ingress and egress enabled on downstream interface p1 and upstream p2. A packet that flows through p1 will get a netflow record shown by the dotted line labelled //ingress netflow// | ||
+ | |||
+ | This can | ||
+ | - Result in double counting | ||
+ | - If used with a sampler can cause inconsistent data | ||
+ | |||
+ | [{{: | ||
+ | |||
+ | |||
+ | |||
+ | ===== When to use ingress and egress netflow ===== | ||
+ | |||
+ | In our customers there are valid use cases for enabling both ingress and egress netflow. | ||
+ | |||
+ | In some ISP environments, | ||
+ | |||
+ | The rules to enable both ingress and egress on the upstreams are: | ||
+ | - Upstream interfaces should not route traffic between themselves (double counting) | ||
+ | - Downstream interfaces should not route traffic between themselves (missing traffic) | ||
+ | - Downstreams should only exchange with upstreams and vice versa | ||
+ | |||
+ | The following diagram shows a valid use case. | ||
+ | |||
+ | [{{: | ||
+ | |||
+ | In this example the red and blue flows are measured for Netflow at the upstream interfaces only. Hence there will be no duplicate or inconsistent data. | ||
+ | |||
+ | ===== Performance note about egress netflow ===== | ||
+ | |||
+ | In addition , please check with your vendor if there are any performance implications for enabling egress netflow. | ||
+ | |||
+ | |||
+ | //Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.// | ||
+ | |||
+ | |||
+ | ===== Configuration options in Trisul ===== | ||
+ | |||
+ | |||
+ | The following are relevant [[https:// | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Trisul automatically detects duplicate flow records |
tips/ingress-egress-netflow.1606462654.txt.gz · Last modified: 2020/11/27 13:07 by veera