Question on Netflow report for Endpoints with Ingress and Egress

Hi Larry,

Not sure what you mean by "the interface is the same". Same utilization, same name?

**bump**

I think I'm noticing the same thing on my NTA.  In my experience, the ingress/egress toggle does not change the report that is displayed.

I ran an NTA details for the last 8 hours on an edge router of ours just now.  I compared the "ingress" with the "egress" and there are NO,not one or two, or a few, NO differences (other than the toggle shows ingress/egress).

This is the case for every report we run on the NTA web interface.  Can this toggle just be removed from the web gui?  It seems to offer no function.

Could this be due to our just using "ip route-cache flow" rather than the interface level commands "ip flow ingress|egress"?

Let me see if I can find the thread where I posed the same question.  Basically, Solarwinds is defining Endpoint as total traffic without direction taken into account.  They suggested using Top Receivers and Transmitters instead.

Here it is:

The percent utilization problem, which was the original question, was fixed in NTA 3.7 Hotfix 1

If you see the exact same ingress and egress traffic on an interface, that means that you are not filtering or otherwise blocking any traffic. What went in the interface, is exactly the same as what came out. This is expected unless you have CBQoS or an access list preventing traffic from traversing the interface.

So it would seem that "Top XX Endpoints|Conversations" aggregates ingress/egress. 

If you want to see true ingress/egress numbers you need to view "Top XX Receivers|Transmitters" (not the global one) resource on your NTA node details window.

Still though the toggle seems to bring nothing to the table, am I wrong?

Yes jagle you are correct but the toggle does comes into play in some instances.  I would expect no difference if collecting both in and out flows an all the interfaces of the node.  The collector will see a flow record from the device for both the outbound interface and inbound interface making Egress=Ingress

Imagine Device A with interfaces  B and C and Egress and Ingress flow are collected for  both

A flow comes ingress on B  for server1 to server 2 for app FTP for 1000bytes.

It exits C Egress for server1 to server 2 for app FTP for 1000bytes

If you ran a report with Ingress toggle you would see server1 to server 2 for app FTP for 1000bytes.

If you ran a report with Engress toggle you would see server1 to server 2 for app FTP for 1000bytes.

Both you may see server1 to server 2 for app FTP for 2000bytes which would depend on how a particular collections system tallies traffic.  Same (inflated traffic) for when you see the same flow at different devices within a network and look at the entire conversation from a network wide perspective.

Toggling Egress/Ingress on interfaces I a see a very different picture.

In the end, it just depends and you just have to think it through to make sure it makes sense.