Need some netflow advice. I have about 700 "field" sites and two major data centers, all connected in an MPLS cloud. We are running DMVPN encryption over the WAN links using IPSEC tunnels (a total of three tunnels are defined on each field site router: once to each data center, then a third as a fallback). Most of the resources users access are (obviously) at the data centers. Frequently a field site manager complains about network performance and as we investigate the issue; it's usually some application taking all of the WAN utilization (most of the sites have one T1).
We recently migrated our MPLS vendor from Sprint to Verizon and we took this into consideration with a default router configuration to include IP flow top 20 talkers (obviously these are all Cisco routers, most 2800 routers with a few 3745s) and have applied the ingress and egress statements to the LAN interface on the router. Ideally, we want to see only WAN traffic but with our tunnel configuration all traffic on the serial interface is already encrypted so netflow would be useless.
We have two NPM polling engines, both with the NTA module installed. While NPM performance isn't too much of an issue at this time, I don't want to send netflow data from all field site routers back to NPM all the time so we only configure netflow on a field site router as needed, then turn it off once we are done.
Now this issue has bubbled to the top at one of our sites which already has netflow turned on. I need some help figuring out why the router's "top talkers" is different from the NTA netflow statistics. Running the "show ip flow top talkers" command on the router gives one list, and from my understanding, the defaults for that configuration summarizes the top talkers for the past 30 minutes. Now I go into NPM/NTA and show the top conversations on that router for the past 30 minutes and see some different information; some endpoints are the same and others not even in the list. Which is more accurate? Why don't they jive?
By the way, we are "polling" the routers by the loopback interface, and also source the netflow from the same interface. We monitor the LAN, serial and tunnel interfaces for utilization, but had mixed results on where the official interface and direction to apply the ingress/egress statements.
Where is the "ideal" place to monitor the ip flow ingress/egress; tunnels or LAN. Also, is it best to only apply ingress OR egress to the interface? Does applying both double the statistics?
and looking forward to some real-world experience in this...