8 Replies Latest reply on Mar 16, 2015 3:37 PM by michael.almadova@solarwinds.com

    Netflow design

    fstroud

      I have NTA configured on and collecting flow from all WAN remote locations and also in the data centre WAN hub.

       

      For Top 20 Applications is NTA double counting.  i.e. traffic from remote locations flow export plus the export from the WAN hub routers or does NTA have some smarts to deal with this.

        • Re: Netflow design
          michal.hrncirik

          Hi, could you ensure that you have configured only the command 'ip route-cache flow' on all the interfaces of your device and NO OTHER NetFlow commands like 'ip flow ingress' and 'ip flow egress' are applied on them?

          • Re: Netflow design
            michael.almadova@solarwinds.com

            For troubleshooting purposes the rule of thumb is.  If only one interface is being enabled to export Netflow then you would want to have both commands on that one interface ( IP Flow Ingress and IP Flow Egress).  If more than one interface is being enabled to export to export Netflow  then you only need IP Flow Ingress on all interfaces or else data will be doubled. 

              • Re: Netflow design
                fstroud

                Hi Michael,

                Thanks for your response, I was not aware if this rule of thumb.

                Only one interface is used to export in my topology but your response will assist in future more complicated deployments.

                1 of 1 people found this helpful
                • Re: Netflow design
                  igatrinit

                  Could you describe or link me to the basis for this rule?

                    • Re: Netflow design
                      donthomas

                      Let me try with an example. Say you have a router with only one LAN and one WAN interface active and an IP conversation traverses from 10.1.1.1 (in the LAN) to goog.le.com

                       

                      When you enable ip flow ingress on the LAN interface, it captures the IN traffic across the LAN. The NetFlow record for this IP conversation also holds information about the exit interface - which is the WAN in our example. This exit information can be accounted as the OUT traffic of WAN. So, with ip flow ingress on LAN, you capture the IN traffic for LAN and the OUT traffic for WAN.

                       

                      When goog.le.com responds to 10.1.1.1 (in the LAN), this works the other way round. ie. ip flow ingress on the WAN captures IN traffic across the WAN and holds information about the exit interface which is the LAN. So ip flow ingress on WAN captures IN for WAN and OUT for LAN.

                       

                      Combined, ip flow ingress on LAN and WAN captures IN and OUT for LAN and WAN.

                      1 of 1 people found this helpful
                      • Re: Netflow design
                        michael.almadova@solarwinds.com

                        This was suggested from the the Application Engineer from Solarwinds. There is really no link to a any rules list.