2 of 2 people found this helpful
You are right, it changes per device and network My ( rudimentary) recommendation is as below and you will need to go through trial and error and then bring in changes based on what you see and what you wish to see.
The basic thumb rule is monitor the interfaces on which you see traffic and among that monitor those interfaces which are more expensive (WAN / MPLS over LAN). Monitor loopback and such only if you need to see management traffic.
1. For an edge router with only 2 interfaces
It is enough for you to monitor any one of the interfaces (preferably the WAN facing) as incoming traffic for one interface will be captured as the outbound traffic for the receiving interface. (Traffic that enters the router should exit through the other interface)
2. For an edge device with multiple interfaces
It is preferable to monitor the WAN interface if all the traffic that enters from multiple segments exits through the WAN interface. If not, monitor the WAN and the next expensive interface (such as MPLS?)
3. ATM (if DSL is used as access method)
In some implementations, Dialer dials and carries the exit traffic and the virtual access interface brings the return or incoming traffic. In such a scenario, to get a comprehensive picture of IN and OUT traffic for the WAN interface, you will need to monitor both Dialer and Virtual Interface. If not, you can monitor the ATM interface itself.
Monitor the northbound interfaces if you wish to see only the traffic that moves to the upper layers. If you wish to see traffic at the switch port layer (ie. server to server IP conversations), monitor both the northbound and southbound interfaces (will be expensive in terms of license costs)
I hope that is close to covering what you were looking for?