here is an explanation for the Ingree / Egress part.
Ingress Network traffic that originates from outside of the networks routers
and proceeds toward a destination inside of the network.
For example, an e-mail message that is considered ingress traffic will
originate somewhere outside of a enterprises LAN, pass over the Internet and
enter the companies LAN before it is delivered to the recipient.
Egress Network traffic that begins inside of a network and proceeds through
its routers to a destination somewhere outside of the network.
For example, an e-mail message that is considered egress traffic will travel
from a users workstation and pass through the enterprises LAN routers before it
is delivered to the Internet to travel to its final destination.
You can setup your Core IDF switches ( Or Firewall ) as a collector where
all the traffic passing through . If you have configured Vlan's that's should
be enough for you to view all the Egress/Ingress traffic and you do not need to
setup your each ports to collect the Netflow data.
Selection of (Egress/Ingress ) traffic and sources is all your choice and
depends what you are looking for where Netflow is completely flexible in order
to support both collection. Once you have the both traffic type you can filter as required.
Please let us know if you required further asistance or required further details for each part.
I always hate disagreeing with Solarwinds staff, but Malik's explanation is not quite correct. NetFlow is *interface* specific, and it's directional. For a particular interface, ingress NetFlow measures packets coming *into* that interface from the router's perspective, and egress NetFlow measures traffic leaving the interface. Consider the following topology:
Host A<--->inside network<--->F0/0-Router-F0/1<--->Internet<--->Host B
If you configure "ip flow ingress" on F0/0, the router measures traffic *received* on that interface (that is, from the inside network). In this case, the traffic is presumably going toward the Internet, but if the router had other interfaces it could be going elsewhere too. If you configured "ip flow egress" on F0/0, the router would measure traffic *leaving* F0/0, going toward the inside network. Note also that traffic from Host A > Host B is considered by the router to be a different flow than traffic from Host B to Host A. You can see this clearly with "show ip cache flow": assuming a symmetric path, each conversation should have two entries in the flow cache, one for each direction. The flow collector and analyzer software might try to knit the two flows together.
One of the reasons that this can be confusing is that the egress interface is not considered a "key field" by the router when determining what constitutes a unique flow. The reason for this is that it's possible for the egress interface to change due to a routing update while leaving the flow intact.
Now all that said: this is how the *router* views NetFlow. I hope that Solarwinds NTA is parsing the flow records correctly, but I don't know how NTA merges flows or handles the ingress/egress flag when summarizing data. This is one reason I always look at interface detail views rather than node detail views when using NTA. It's also an area where I think we could use a lot more documentation from Solarwinds, and a lot more detailed functionality in the product.
As far as your question about where to collect: again, you need to look at it from an interface perspective. Into which specific interfaces do you need visibility in your network? I collect NetFlow from every interface I can, because I don't know in advance where I'll need to look. If you only care about traffic when it transits a certain part of your network, then collect only at that point.