Egress accounting isn't suppported for unicast flows at this moment on the 6500, only for multicast flows.
Thanks for the reply...
If traffic from a user VLAN on the 6509 is destined to some remote site, it passes via VLAN (9) on the same 6509, since it is the only way to get outside. Isn't this considered ingress and netflow should be reported?
That's considered egress.
Vlan 9 is connected to your ASA and only traffic send from the ASA to that Vlan will be captured.
Traffic sent to the ASA is considered to be in the egress direction from that Vlan.
With your design, you are capturing traffic as it enters Vlan 10 (your server vlan) so you are not missing anything, right?
Thanks for the reply,
I have been seeing lots of netflow for Vlan 10 (server vlan). I will have to double check the reports to confirm whether the information is uni or bidirectional.
The thing I am missing is netflow traffic from other user vlans on the 6509 going to remote sites. We would like to include this information in our security reports.
Thanks for the reply,
I will configure ip flow ingress on these vlans and send some test traffic o a remote site, hope will get the required output. I will post the results tomorrow.
Thanks a lot.
After configuring those vlans with ip flow ingress, I was able to get netflow traffic for traffic leaving the users vlan. But I would like to understand the concept here. Isnt this traffic considered egress (since i exits the user vlan) so shouldnt be reported?
I asked the admin of the router at remote site to enable netflow on his router (7206vxr) to capture ingress netflow statistics comin out of the 6509s Server Vlan (10) at my site and forward it to the netflow collector I am using. I wanted to compare the results to what the 6509 is reporting.
The 6509 and the remote 7206 router reported roughly the same vloume of traffic leaving Server A in the Server VLAN (10) and entering remote Server B via the 7206 router. But the graphicl presentation of the output (see attachment) was quiet different. It seems that sampling is higher on the 7206 and lower on the 6509 since the total bytes transferred seems to be added up (y axies - 14 MB vs 440 MB) in the 6509 output . Isnt that right?
Applying 'ip flow ingress' on the user vlan will capture traffic coming from the users.
Think of a Vlan as a physical port connected to a user machine. Traffic from the user machine will be treated as ingress while traffic going to the user machine will be treated as egress.
You think the traffic is leaving the Vlan but actually is traffic entering the Vlan.
Sorry, I don't have an answer to the 2nd question. They should report the same statistics unless traffic is being dropped.
Thanks for the explanation.
As for the second question, I feel its might be the 7206 router sends netflow at a much faster rate than the 6509, thus explaining the low MBs transfered per interval and more frequent reporting (almost every minute), or flows are larger in the 6500 but are segmented once they reach the 7206, or it might be a netflow application software thing. I will check it out with the Solarwinds people.