Which Ports to Configure for Netflow?

Question

Hello,

I am trying to set up Solarwinds NTA but I am having a bit trouble conceptulising the deployment and configuration. Can someone advise on which ports Netflow should be enabled within a multi-campus network environment?

I have three sites A, B and C that are connected with WAN links (A to B, B to C and C to A). There is a Cisco 3850 core switch at each site which is capable of doing Cisco Flexible Netflow. My question is on which interfaces should I enable Netflow on the cores?

I presume to enable it on the L3 WAN Link ports between each of the sites.

1. Should I enable Netflow on the trunk ports between the Core and Edge Switches at each site?

2. For each interface where Netflow is enabled, what direction should it be enabled for (Ingress, Egress or Both)? I did find this article which said not to enable both Ingress and Egress capture for Netflow interfaces due to double-capturing data. But if you just enable Ingress monitoring on each interface then the Egress statistics in NTA are blank.  Should this be how it is done?

3. How is traffic between two ports on the same VLAN, on the same edge switch captured by Netflow? Or is NTA with Netflow only designed to capture routed traffic?

Thanks

bobmarley · Answer

1. Should I enable Netflow on the trunk ports between the Core and Edge Switches at each site?

- I would get the WAN up and running first. Set it up in smaller increments. Whatever is most important to you first, get everything running the way you want then do the next section of the network. Unless you really beefed out your Netflow server when you built it you will notice it getting slower the more flows are added so use some discretion when adding flows. Core switches usually have lots and lots of flows.

2. For each interface where Netflow is enabled, what direction should it be enabled for (Ingress, Egress or Both)? I did find this article which said not to enable both Ingress and Egress capture for Netflow interfaces due to double-capturing data. But if you just enable Ingress monitoring on each interface then the Egress statistics in NTA are blank.  Should this be how it is done?

-Regardless of double capturing the traffic, the way the screens are laid out I always found it easier to capture both directions. Most of the views toggle between ingress/egress/both and you can always apply filters.

I didn't want to need to have two router windows up to view a single circuit.  Try it both ways and see which way you prefer.

3. How is traffic between two ports on the same VLAN, on the same edge switch captured by Netflow? Or is NTA with Netflow only designed to capture routed traffic?

-Two ports on the same network on the same switch are going to only cross the backplane of the switch - using layer 2. While you could create flows for this - is it something you really need? Maybe, maybe not depends on your situation.

braulioj · Answer

Hi,

Could you tell where the traffic is coming from by Autonomous System too, right?? do you have it configured???

I am receiving the all traffic, but the Display of the information in Solarwinds show me tha Data, but the Total amount of traffic based on any Range of traffic, and not the Utilization of the Link...

I would like to see something as you mention: If i have an 10G interface and the Netflix Consumtion of my customer/lan/networks is 7G (Well 7G of traffic is coming or going from/to Netflix), but in my case i am seeing 30 TB in 5 minutes,

Any idea???

Thks!!

_JS

sonic9t9 · Answer

It all depends on what you are trying to monitor and it's POV. WAN/Internet links you likely wnat ingress. AKA you don't send traffic out to Netflix  Yes, you should  do trunk links between switches.    We just monitor all ports but don't pay attention much to individual user ports... but for netflow we only apply it to the WAN links and ring interconnect liknks.  I can tell based on IP where the traffic is coming from.   Just example.

LIke in the last hour I see on the internet link out. ingress netflix 7gb. 0 egress on that service.