• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 24 subscribers
  • Views 172 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

design advice - where to configure Netflow sources?

flipton

We're having a running discussion [argument?] on which devices should be configured as Netflow sources. I've just started at a new job and my first assigned task is rebuilding the existing SW box [NPM, NTA, APM, IPAM, NCM]. The existing set up has all 16 IDF switches [Cisco 65xx] configured as sources [ingress only] along with the two core switches and two server farm switches, also ingress only and only on the vlans, not ports.

I contend that as all traffic passes through the two core switches that's the only place we need to collect Netflow data from. My colleague contends that to examine traffic within a vlan that exists only on an IDF switch [but still talks through the core switches] we need to have the IDF switch as a collector.

Something that's confusing both of us is the ingress/egress part. The NTA admin guide doesn't do enough explaining to shed light on this whole design discussion [argument?]. The forum posts, especially ones with "best practice" in their subject lines, don't come near to addressing/defining these terms much less the concepts of collector placement.

Can I get guidance on where to focus? Pls/Thnx...

  • 0

      Hi Fred

    here is an explanation for the Ingree / Egress part.

    Ingress Network traffic that originates from outside of the networks routers
    and proceeds toward a destination inside of the network.

    For example, an e-mail message that is considered ingress traffic will
    originate somewhere outside of a enterprises LAN, pass over the Internet and
    enter the companies LAN before it is delivered to the recipient.

    Egress Network traffic that begins inside of a network and proceeds through
    its routers to a destination somewhere outside of the network.

    For example, an e-mail message that is considered egress traffic will travel
    from a users workstation and pass through the enterprises LAN routers before it
    is delivered to the Internet to travel to its final destination.

     

    You can setup your Core IDF switches ( Or Firewall ) as a collector where
    all the traffic passing through . If you have configured Vlan's that's should
    be enough for you to view all the Egress/Ingress traffic and you do not need to
    setup your each ports to collect the Netflow data.

    Selection of (Egress/Ingress ) traffic and sources is all your choice and
    depends what you are looking for where Netflow is completely flexible in order
    to support both collection. Once you have the both traffic type you can filter as required.

    Please let us know if you required further asistance or required further details for each part.

  • 0

    I always hate disagreeing with Solarwinds staff, but Malik's explanation is not quite correct. NetFlow is *interface* specific, and it's directional. For a particular interface, ingress NetFlow measures packets coming *into* that interface from the router's perspective, and egress NetFlow measures traffic leaving the interface. Consider the following topology:

    Host A<--->inside network<--->F0/0-Router-F0/1<--->Internet<--->Host B

    If you configure "ip flow ingress" on F0/0, the router measures traffic *received* on that interface (that is, from the inside network). In this case, the traffic is presumably going toward the Internet, but if the router had other interfaces it could be going elsewhere too. If you configured "ip flow egress" on F0/0, the router would measure traffic *leaving* F0/0, going toward the inside network. Note also that traffic from Host A > Host B is considered by the router to be a different flow than traffic from Host B to Host A. You can see this clearly with "show ip cache flow": assuming a symmetric path, each conversation should have two entries in the flow cache, one for each direction. The flow collector and analyzer software might try to knit the two flows together.

    One of the reasons that this can be confusing is that the egress interface is not considered a "key field" by the router when determining what constitutes a unique flow. The reason for this is that it's possible for the egress interface to change due to a routing update while leaving the flow intact.

    Now all that said: this is how the *router* views NetFlow. I hope that Solarwinds NTA is parsing the flow records correctly, but I don't know how NTA merges flows or handles the ingress/egress flag when summarizing data. This is one reason I always look at interface detail views rather than node detail views when using NTA. It's also an area where I think we could use a lot more documentation from Solarwinds, and a lot more detailed functionality in the product.

    As far as your question about where to collect: again, you need to look at it from an interface perspective. Into which specific interfaces do you need visibility in your network? I collect NetFlow from every interface I can, because I don't know in advance where I'll need to look. If you only care about traffic when it transits a certain part of your network, then collect only at that point.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.