One of the primary use cases of NetFlow is to disclose what is taking up WAN bandwidth as it is a recuring cost and as such requires management. It sounds like this device only passes data from the LAN to the WAN so you would be covered by using the WAN IF as your exporter.
I am in the middle of a Riverbed implementation as well. I think this thread answered my question of whether I need to monitor both LAN and WAN interfaces. However, I just wanted to know what would happen if you monitored both interfaces? Will Orion be able to tell that comes from the same device and give me correct numbers or would it double my numbers since it is seeing that some of the same data is on both the LAN and the WAN? I know in the NetFlow setup on the Riverbed it has a field to enter the LAN subnets. It says: "Specify which subnets are on the LAN side of the appliance, which allows the netflow collectors, including top talkers, to properly classify traffic as LAN or WAN. " I didn't know if Orion gets that subnet info and uses it somehow to sort out the data it would receive if both LAN and WAN were being monitored.
This is my first time working with NetFlow, so I'm just trying to get a good handle on what to expect.
Also, does anyone have a general idea of what the bandwidth hit is for the NetFlow data going across the pipe to the collector? My other fear would be that I end up clogging my pipe with the extra data I'm collecting.
On the WAN interface, I believe it is all port 7800 traffic, probably want to see the lan0_0 traffic.
You may be able to config it on the InPath IP?
We use Cisco's WAAS; but it's a similar concept to the Riverbed product. If you're using the Steelheads inline, then you pretty much have to monitor the lan side because Riverbed translates all traffic into a single port on the WAN side, even if you use their "transparency" stuff.
What I tend to do is monitor the flow export on the head-end router, but if I have to do flow on the remote end I use the LAN side.