5 Replies Latest reply on Mar 1, 2017 1:18 PM by bobmarley

    Which Ports to Configure for Netflow?

    raymondwilson

      Hello,

       

      I am trying to set up Solarwinds NTA but I am having a bit trouble conceptulising the deployment and configuration. Can someone advise on which ports Netflow should be enabled within a multi-campus network environment?

       

      I have three sites A, B and C that are connected with WAN links (A to B, B to C and C to A). There is a Cisco 3850 core switch at each site which is capable of doing Cisco Flexible Netflow. My question is on which interfaces should I enable Netflow on the cores?

       

      I presume to enable it on the L3 WAN Link ports between each of the sites.

       

      1. Should I enable Netflow on the trunk ports between the Core and Edge Switches at each site?

       

      2. For each interface where Netflow is enabled, what direction should it be enabled for (Ingress, Egress or Both)? I did find this article which said not to enable both Ingress and Egress capture for Netflow interfaces due to double-capturing data. But if you just enable Ingress monitoring on each interface then the Egress statistics in NTA are blank.  Should this be how it is done?

       

      3. How is traffic between two ports on the same VLAN, on the same edge switch captured by Netflow? Or is NTA with Netflow only designed to capture routed traffic?

       

      Thanks

        • Re: Which Ports to Configure for Netflow?
          sonic9t9

          If you can enable netflow on the device you can monitor the traffic. It all depends on how you think the data flows or if there is one central point where it all collides.

           

          We have a large Metro wan and we usually only enable netflow on the wan links and the interconnnects to other rings.  There is no point on a LAN link IMO when that traffic is going to be hitting the WAN link.  You have to be careful on some of these things and how many packets are you looking at. Older routers can't handle hardcore netflow. rather their CPU can't, you have to monitor that.

            • Re: Which Ports to Configure for Netflow?
              raymondwilson

              Hi,

               

              I think you're definitely going to want to monitor LAN traffic as not all traffic is destined to go across the WAN links. That was why I thought to monitor the trunk links from the edge switches to the collapsed core switch at each of the three sites. This is not going to capture traffic between two endpoints patched in to the same edge switch though...

               

              I still don't quite get the Ingress vs Egress monitoring. I have done a lot of research and the general consensus seems to be to enable Ingress monitoring only on all the interfaces you intend to monitor. I don't have any routers or L3 capable switches where there is only one link for traffic to come in and out of... and I don't want to enable both Ingress and Egress monitoring on very interface because of double-handling of data and erroneous statistics.

               

              It seems to work but doesn't look correct in Solarwinds NTA, because all the Egress stats and columns obviously show 0 bytes.  I wanted co confirm this is how other people are using it.

                • Re: Which Ports to Configure for Netflow?
                  sonic9t9

                  It all depends on what you are trying to monitor and it's POV. WAN/Internet links you likely wnat ingress. AKA you don't send traffic out to Netflix  Yes, you should  do trunk links between switches.    We just monitor all ports but don't pay attention much to individual user ports... but for netflow we only apply it to the WAN links and ring interconnect liknks.  I can tell based on IP where the traffic is coming from.   Just example.

                  LIke in the last hour I see on the internet link out. ingress netflix 7gb. 0 egress on that service. 

                    • Re: Which Ports to Configure for Netflow?
                      braulioj

                      Hi,

                      Could you tell where the traffic is coming from by Autonomous System too, right?? do you have it configured???

                       

                      I am receiving the all traffic, but the Display of the information in Solarwinds show me tha Data, but the Total amount of traffic based on any Range of traffic, and not the Utilization of the Link...

                       

                      I would like to see something as you mention: If i have an 10G interface and the Netflix Consumtion of my customer/lan/networks is 7G (Well 7G of traffic is coming or going from/to Netflix), but in my case i am seeing 30 TB in 5 minutes,

                       

                      Any idea???

                       

                      Thks!!

                       

                       

                      _JS

                • Re: Which Ports to Configure for Netflow?
                  bobmarley

                  1. Should I enable Netflow on the trunk ports between the Core and Edge Switches at each site?

                  - I would get the WAN up and running first. Set it up in smaller increments. Whatever is most important to you first, get everything running the way you want then do the next section of the network. Unless you really beefed out your Netflow server when you built it you will notice it getting slower the more flows are added so use some discretion when adding flows. Core switches usually have lots and lots of flows.

                   

                  2. For each interface where Netflow is enabled, what direction should it be enabled for (Ingress, Egress or Both)? I did find this article which said not to enable both Ingress and Egress capture for Netflow interfaces due to double-capturing data. But if you just enable Ingress monitoring on each interface then the Egress statistics in NTA are blank.  Should this be how it is done?

                  -Regardless of double capturing the traffic, the way the screens are laid out I always found it easier to capture both directions. Most of the views toggle between ingress/egress/both and you can always apply filters.

                  I didn't want to need to have two router windows up to view a single circuit.  Try it both ways and see which way you prefer.

                   

                  3. How is traffic between two ports on the same VLAN, on the same edge switch captured by Netflow? Or is NTA with Netflow only designed to capture routed traffic?

                  -Two ports on the same network on the same switch are going to only cross the backplane of the switch - using layer 2. While you could create flows for this - is it something you really need? Maybe, maybe not depends on your situation.