Re: Netflow ...

Answered Question
Nov 12th, 2008
User Badges:

Hi,

Would like to confirm for netflow, the IOS lookup tool says that 'ip route-cache flow' has been replaced with 'ip flow ingress'.

When I checked the 'ip flow ingress' command, it says that it sends accounting information for input traffic

reaching the interface. If so, do we need to enter the 'ip flow egress' command to monitor the outbound traffic on the inteface if one wants to monitor the ingress and egress traffic flow from the interface ?


Pls advice,


Cheers,

- InternetB -

Correct Answer by Edison Ortiz about 8 years 7 months ago

If so, do we need to enter the 'ip flow egress' command to monitor the outbound traffic on the inteface if one wants to monitor the ingress and egress traffic flow from the interface ?


Correct.


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Edison Ortiz Wed, 11/12/2008 - 20:56
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If so, do we need to enter the 'ip flow egress' command to monitor the outbound traffic on the inteface if one wants to monitor the ingress and egress traffic flow from the interface ?


Correct.


__


Edison.

Jan Nejman Thu, 11/13/2008 - 01:09
User Badges:
  • Bronze, 100 points or more

Hello,


I'm not sure with previos answer. If you want to monitor all traffic that is going throught the device, type in "ip flow ingesss" on all interfaces. If you enter ingress and egress on all interfaces you will see traffic twice, because one flow will be created when packet enter the device and another one on the exit.


If you was "ip route-cache flow" on all interfaces, simply replace it with "ip flow ingress" and result will be the same.


Jan Nejman

Caligare, Co.

http://www.caligare.com


BTW: "ip flow egress" is very useful in special situations (i.e. device with IPSEC tunnel - on "non-encrypted" interface is the right solution use both (ingress and egress) commands and on IPSEC interface there is not flow monitoring configured).

Edison Ortiz Thu, 11/13/2008 - 06:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you enter ingress and egress on all interfaces you will see traffic twice, because one flow will be created when packet enter the device and another one on the exit.



Correct, assuming there is only one entry/exit point. In many circumstances, a packet may enter an interface but not necessarily leave that interface.


In addition, the packet entering the network will have different characteristics from the packet exiting the network (packet size, Layer3-7, among others). You may want to capture those as well.



HTH,


__


Edison.

Actions

This Discussion