2 Replies Latest reply on Apr 2, 2012 9:26 AM by jswan

    design advice - where to configure Netflow sources?


      We're having a running discussion [argument?] on which devices should be configured as Netflow sources. I've just started at a new job and my first assigned task is rebuilding the existing SW box [NPM, NTA, APM, IPAM, NCM]. The existing set up has all 16 IDF switches [Cisco 65xx] configured as sources [ingress only] along with the two core switches and two server farm switches, also ingress only and only on the vlans, not ports.

      I contend that as all traffic passes through the two core switches that's the only place we need to collect Netflow data from. My colleague contends that to examine traffic within a vlan that exists only on an IDF switch [but still talks through the core switches] we need to have the IDF switch as a collector.

      Something that's confusing both of us is the ingress/egress part. The NTA admin guide doesn't do enough explaining to shed light on this whole design discussion [argument?]. The forum posts, especially ones with "best practice" in their subject lines, don't come near to addressing/defining these terms much less the concepts of collector placement.

      Can I get guidance on where to focus? Pls/Thnx...

        • Re: design advice - where to configure Netflow sources?
          Malik Haider

            Hi Fred



          here is an explanation for the Ingree / Egress part.



          Ingress Network traffic that originates from outside of the networks routers
          and proceeds toward a destination inside of the network.



          For example, an e-mail message that is considered ingress traffic will
          originate somewhere outside of a enterprises LAN, pass over the Internet and
          enter the companies LAN before it is delivered to the recipient.



          Egress Network traffic that begins inside of a network and proceeds through
          its routers to a destination somewhere outside of the network.


          For example, an e-mail message that is considered egress traffic will travel
          from a users workstation and pass through the enterprises LAN routers before it
          is delivered to the Internet to travel to its final destination.


          You can setup your Core IDF switches ( Or Firewall ) as a collector where
          all the traffic passing through . If you have configured Vlan's that's should
          be enough for you to view all the Egress/Ingress traffic and you do not need to
          setup your each ports to collect the Netflow data.



          Selection of (Egress/Ingress ) traffic and sources is all your choice and
          depends what you are looking for where Netflow is completely flexible in order
          to support both collection. Once you have the both traffic type you can filter as required.


          Please let us know if you required further asistance or required further details for each part.

          • Re: design advice - where to configure Netflow sources?

            I always hate disagreeing with Solarwinds staff, but Malik's explanation is not quite correct. NetFlow is *interface* specific, and it's directional. For a particular interface, ingress NetFlow measures packets coming *into* that interface from the router's perspective, and egress NetFlow measures traffic leaving the interface. Consider the following topology:


            Host A<--->inside network<--->F0/0-Router-F0/1<--->Internet<--->Host B


            If you configure "ip flow ingress" on F0/0, the router measures traffic *received* on that interface (that is, from the inside network). In this case, the traffic is presumably going toward the Internet, but if the router had other interfaces it could be going elsewhere too. If you configured "ip flow egress" on F0/0, the router would measure traffic *leaving* F0/0, going toward the inside network. Note also that traffic from Host A > Host B is considered by the router to be a different flow than traffic from Host B to Host A. You can see this clearly with "show ip cache flow": assuming a symmetric path, each conversation should have two entries in the flow cache, one for each direction. The flow collector and analyzer software might try to knit the two flows together.


            One of the reasons that this can be confusing is that the egress interface is not considered a "key field" by the router when determining what constitutes a unique flow. The reason for this is that it's possible for the egress interface to change due to a routing update while leaving the flow intact.


            Now all that said: this is how the *router* views NetFlow. I hope that Solarwinds NTA is parsing the flow records correctly, but I don't know how NTA merges flows or handles the ingress/egress flag when summarizing data. This is one reason I always look at interface detail views rather than node detail views when using NTA. It's also an area where I think we could use a lot more documentation from Solarwinds, and a lot more detailed functionality in the product.


            As far as your question about where to collect: again, you need to look at it from an interface perspective. Into which specific interfaces do you need visibility in your network? I collect NetFlow from every interface I can, because I don't know in advance where I'll need to look. If you only care about traffic when it transits a certain part of your network, then collect only at that point.