Sunday Buzz: Google the Evil Genius (by Denny K Miu)
A Job in 2010: What Are the Odds? (by Paul W. Smith)

Ingress or Egress NetFlow Analysis (by Michael Patterson)

Michael_pattersonLogo_plixerAuthor Profile - Michael Patterson is currently the Product Manager of Scrutinizer NetFlow and sFlow Analyzer at Plixer International. Prior to Plixer Michael worked for Cabletron Systems as the Director for outsourced network management.


IngressFlow

Ingress or Egress, That is the Question

Are you considering a NetFlow export configuration with egress flows? Do you know why you would or wouldn’t want to export egress flows?

Most of us are exporting NetFlow v5 which only supports ingress flows. This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams. What about traffic going out an interface? It isn’t monitored in NetFlow v5. Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router.

Lets say you only enable NetFlow on interfaces 1 and 2 of a three interface router.  Traffic coming in on interface 3 that is destined for interface 1 or 2 will be missing when the NetFlow Analyzer calculates outbound utilization on these interfaces. In short, when using NetFlow v5 or v9 (ingress only flows) enable NetFlow on all interfaces as outbound utilization on any given interface is calculated by using ingress flows from the other interfaces. Pretty much all NetFlow reporting tools operate this way.


Why enable Egress?

NetFlow v9 supports ingress and egress NetFlow.  In most installations, ingress flows enabled on all the interfaces of the switch or router will deliver on the information we need. Here are a few reasons to use Egress Flows:

  • In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed.  Using Ingress flows causes an over stated outbound utilization on the WAN interface.  Egress flows are calculated after compression.

  • In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams.  Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.

  • When exporting NetFlow on only one interface of the router or switch.  Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.

A good NetFlow Analyzer should look for egress flows before calculating outbound utilization. If it finds egress flows for the interface, it should use them.  If it doesn’t find egress flows, it should calculate outbound utilization using ingress flows from the other interfaces.


Enabling Ingress and Egress

Here are the commands to configure a Cisco router for both ingress and egress flows:

Router > enable
Router#: configure terminal
! send NetFlow off to the collector – Scrutinizer
Router(config)# ip flow-export destination 10.1.1.1
! lets send NetFlow off to a 2nd collector
Router(config)# ip flow-export destination 10.1.1.2
! You have to setup Flexible NetFlow to export to more than two destinations
! Lets export NetFlow v9 as NetFlow v5 doesn’t support egress NetFlows

Router(config)# ip flow-export version 9
! summarize and export long lived flows every minute
Router(config)# ip flow-cache timeout active 1
! export flows that are idle 15 seconds or more
Router(config)# ip flow-cache timeout inactive 15
! export the NetFlow data from the configured loopback interface.
Router(config)# ip flow-export source loopback 0
! lets go enable NetFlow on each interface we want NetFlow from
! lets configure the first interface

Router(config)# interface Ethernet 0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! change to a different interface
Router(config)# interface Ethernet 0/1
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! commit the above to memory if you want to keep the configuration


Learn more about NetFlow data export from the Cisco web site. If you don’t have Cisco gear, you may find how to enable NetFlow or sFlow on your hardware from the Plixer site.


Ingress, Egress or Both

Using the Cisco CLI you can type in the following command to see if egress vs. ingress flows are enabled.

NetflowAccounting


The NetFlow reporting tool should tell you if ingress, egress or both are enabled on an interface:

NetflowReporting

The above helps confirm the intended configuration.


Watch out for Direction

We can determine Direction because NetFlow v9 exports a Direction field by default and it tells us if it is an ingress or egress flow. In Flexible NetFlow which is based on NetFlow v9, the Direction is not exported by default.  This is pointed out in our blog on egress NetFlow with NBAR

If the NetFlow analysis tool doesn’t properly deal with ingress and egress flows, overstatement of utilization and throughput occur.


Bidirectional Flows

Although I’ve only seen this working on the Cisco ASA, birdirectional flows are interesting. In traditional NetFlow, a flow from A -> B will generally create a second flow from from B -> A. With Bidirectional NetFlow, since A -> B created started the conversation a single flow is entered in the router cache. When B -> A, the bytes are added to the A -> B flow and a 2nd entry is not created.


Summary

Ingress and Egress NetFlow exports have their purpose. In most cases, ingress NetFlow is all we need. If you need a NetFlow Analyzer that supports both, download Scrutinizer here.


Logo_plixer

Comments