Interface bandwidth reporting incorrect

Unanswered Question
Feb 24th, 2010

We currently have Netflow configured on our HQ router and capturing Ingress / Egress Netflow on all interfaces.  We have a 150MB to our DR site.  So data traveling from our servers (internal) to the DR site will be captured twice... (take a 10MB example):

10MB leaves Server -->  6509 -->  10MB Ingress on Inside interface --> 10MB Egress on Outside interface.  Therefore, according to our monitoring software, the Outside interface will show 20MB of traffic.

We use Whatsup Flow Monitor.  When we view the Interface utilization, we will often see the interface way over 100%.  I realize we need to turn off Ingress or Egress strategically to make sure we only use one data stream, but what are other people doing to monitor the interfaces of their devices?

We are using Netflow version 5.  Would version 9 do anything to solve this isse?  Or, with IOS v15 and Flexible Netflow, will this type of scenario be avoided with the use of templates?

Any thoughts will be appreciated.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yjdabear Wed, 02/24/2010 - 15:56

Last I hear, the rule of thumb is to pick one direction (ingress or egress) and stick to that for configuring all the interfaces of the entire router, lest the same flow gets counted twice due to mixing ingress-and-egress as you've witnessed. Even then, if one router's all ingress or another all egress, but they both export NetFlow records to the same collector/reporting server, a flow passing through a set of neighbor interfaces on the two routers would still get double-counted. I don't know how NetFlow v9 or Flexi NetFlow resolves this issue without the IOS allowing an interface to be configured with both ingress and egress flow cache simultaneously. That, plus the NetFlow collector/analyzer needs to have the intelligence to deduplicate.

Here's a blog post that seems to suggest some NetFlow reporting sw can resolve this issue alone, working with mixed-direction NetFlow v9 exports. However, I can't ascertain if this software exists yet.

http://www.plixer.com/blog/scrutinizer/netflow-version-9-egress-vs-ingress/

Actions

This Discussion