Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Enabling Ingress and Egress Netflow - issues and valid use cases
Trace:
tips:ingress-egress-netflow

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tips:ingress-egress-netflow [2020/11/27 13:55] veeratips:ingress-egress-netflow [2020/11/27 16:05] (current) – [Enabling Ingress and Egress Netflow - issues and valid use cases] veera
Line 6: Line 6:
  
 Netflow has historically been an ingress only technology. Later versions of Netflow added the option to enable netflow at the egress interface as well.  One way wonder how an analyst can get both the interfaces if Netflow is enabled in one direction only.  The answer lies in the structure of the Netflow record.  Every Netflow record contains both the ingress and egress interface numbers.  Netflow has historically been an ingress only technology. Later versions of Netflow added the option to enable netflow at the egress interface as well.  One way wonder how an analyst can get both the interfaces if Netflow is enabled in one direction only.  The answer lies in the structure of the Netflow record.  Every Netflow record contains both the ingress and egress interface numbers. 
 +
 +<note>**Recommended**: We recommend for most users to enable ingress netflow only on all interfaces.</note> 
  
 ===== Enabling both ingress and egress can result in inconsistent data ===== ===== Enabling both ingress and egress can result in inconsistent data =====
Line 25: Line 27:
   - If used with a sampler can cause inconsistent data    - If used with a sampler can cause inconsistent data 
  
-{{:tips:egressnetflowdup.png?600|}}+[{{:tips:egressnetflowdup.png?600|showing duplicate flows when enabling both ingress and egress netflow}}
  
  
Line 41: Line 44:
 The following diagram shows a valid use case. The following diagram shows a valid use case.
  
-{{:tips:egressnetflowdup_-_page_2.png?600|}}+[{{:tips:egressnetflowdup_-_page_2.png?600|when ingress and egress enabled only on upstream interfaces no duplicates are seen. this configuration works}}]
  
 In this example the red and blue flows are measured for Netflow at the upstream interfaces only. Hence there will be no duplicate or inconsistent data. In this example the red and blue flows are measured for Netflow at the upstream interfaces only. Hence there will be no duplicate or inconsistent data.
Line 52: Line 55:
 //Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.// //Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.//
  
 +
 +===== Configuration options in Trisul =====
 +
 +
 +The following are relevant [[https://www.trisul.org/docs/ref/netflow-config.html|Netflow configuration parameters]] in Trisul Network Analytics. 
 +
 +  * ''IgnoreV9EgressFromDevices'' : A list of device IP addresses. Egress direction netflows will be ignored from these devices
 +  * ''IgnoreAllEgress'' : Ignore egress netflow from all devices. 
 +
 +Trisul automatically detects duplicate flow records  which arrive within a time window and removes them.  
tips/ingress-egress-netflow.1606465516.txt.gz · Last modified: 2020/11/27 13:55 by veera