Re: Netflow ...

Answered Question
Nov 12th, 2008

Hi,

Would like to confirm for netflow, the IOS lookup tool says that 'ip route-cache flow' has been replaced with 'ip flow ingress'.

When I checked the 'ip flow ingress' command, it says that it sends accounting information for input traffic

reaching the interface. If so, do we need to enter the 'ip flow egress' command to monitor the outbound traffic on the inteface if one wants to monitor the ingress and egress traffic flow from the interface ?

Pls advice,

Cheers,

- InternetB -

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 8 years 2 months ago

If so, do we need to enter the 'ip flow egress' command to monitor the outbound traffic on the inteface if one wants to monitor the ingress and egress traffic flow from the interface ?

Correct.

__

Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Edison Ortiz Wed, 11/12/2008 - 20:56

If so, do we need to enter the 'ip flow egress' command to monitor the outbound traffic on the inteface if one wants to monitor the ingress and egress traffic flow from the interface ?

Correct.

__

Edison.

Jan Nejman Thu, 11/13/2008 - 01:09

Hello,

I'm not sure with previos answer. If you want to monitor all traffic that is going throught the device, type in "ip flow ingesss" on all interfaces. If you enter ingress and egress on all interfaces you will see traffic twice, because one flow will be created when packet enter the device and another one on the exit.

If you was "ip route-cache flow" on all interfaces, simply replace it with "ip flow ingress" and result will be the same.

Jan Nejman

Caligare, Co.

http://www.caligare.com

BTW: "ip flow egress" is very useful in special situations (i.e. device with IPSEC tunnel - on "non-encrypted" interface is the right solution use both (ingress and egress) commands and on IPSEC interface there is not flow monitoring configured).

Edison Ortiz Thu, 11/13/2008 - 06:51

If you enter ingress and egress on all interfaces you will see traffic twice, because one flow will be created when packet enter the device and another one on the exit.

Correct, assuming there is only one entry/exit point. In many circumstances, a packet may enter an interface but not necessarily leave that interface.

In addition, the packet entering the network will have different characteristics from the packet exiting the network (packet size, Layer3-7, among others). You may want to capture those as well.

HTH,

__

Edison.

Actions

This Discussion