2 Replies Latest reply on Apr 14, 2015 2:16 AM by donthomas

    Im just starting to set up NTA for the first time.  Should I enable ingress and egress flows on the monitored interfaces?

    morcowbel293

      We had a third party monitoring our network at some point in the past and it looks like netflow was enabled and exporting to their server.  On the interfaces I only see "ip flow ingress".  Should I apply "ip flow egress" as well to capture all traffic?

        • Re: Im just starting to set up NTA for the first time.  Should I enable ingress and egress flows on the monitored interfaces?
          Steven Klassen

          This goes back to NTA's original design that operated like firewall rules. If you wanted to get a complete picture of traffic in and out you'd put a rule on your serial (Internet-facing) interface inbound and another on your FastEthernet (LAN-facing) interface outbound. So NTA originally only had one command: 'ip route-cache flow' which was later aliased to 'ip flow ingress'. Fast forward to now - you can have both on one interface and call it a day. So if you know that all your interesting traffic flows through a single interface on your device at that position in the network, you can slap both 'ip flow ingress' and 'ip flow egress' on that same interface and call it a day.

           

          Make sure you adjust the drop-down when you're looking at your NTA views. They let you change from Ingress to Egress to Both.

          1 of 1 people found this helpful
          • Re: Im just starting to set up NTA for the first time.  Should I enable ingress and egress flows on the monitored interfaces?
            donthomas

            This was discussed in another thread here, but below is the summary:

             

            Say you have a router with only one LAN and one WAN interface active and an IP conversation traverses from 10.1.1.1 (in the LAN) to goog.le.com

             

            When you enable ip flow ingress on the LAN interface, it captures the IN traffic across the LAN. The NetFlow record for this IP conversation also holds information about the exit interface - which is the WAN in our example. This exit information can be accounted as the OUT traffic of WAN. So, with ip flow ingress on LAN, you capture the IN traffic for LAN and the OUT traffic for WAN.

             

            When goog.le.com responds to 10.1.1.1 (in the LAN), this works the other way round. ie. ip flow ingress on the WAN captures IN traffic across the WAN and holds information about the exit interface which is the LAN. So ip flow ingress on WAN captures IN for WAN and OUT for LAN.

             

            Combined, ip flow ingress on LAN and WAN captures IN and OUT for LAN and WAN.

            1 of 1 people found this helpful