We currently have Netflow configured on our HQ router and capturing Ingress / Egress Netflow on all interfaces. We have a 150MB to our DR site. So data traveling from our servers (internal) to the DR site will be captured twice... (take a 10MB example):
10MB leaves Server --> 6509 --> 10MB Ingress on Inside interface --> 10MB Egress on Outside interface. Therefore, according to our monitoring software, the Outside interface will show 20MB of traffic.
We use Whatsup Flow Monitor. When we view the Interface utilization, we will often see the interface way over 100%. I realize we need to turn off Ingress or Egress strategically to make sure we only use one data stream, but what are other people doing to monitor the interfaces of their devices?
We are using Netflow version 5. Would version 9 do anything to solve this isse? Or, with IOS v15 and Flexible Netflow, will this type of scenario be avoided with the use of templates?
Last I hear, the rule of thumb is to pick one direction (ingress or egress) and stick to that for configuring all the interfaces of the entire router, lest the same flow gets counted twice due to mixing ingress-and-egress as you've witnessed. Even then, if one router's all ingress or another all egress, but they both export NetFlow records to the same collector/reporting server, a flow passing through a set of neighbor interfaces on the two routers would still get double-counted. I don't know how NetFlow v9 or Flexi NetFlow resolves this issue without the IOS allowing an interface to be configured with both ingress and egress flow cache simultaneously. That, plus the NetFlow collector/analyzer needs to have the intelligence to deduplicate.
Here's a blog post that seems to suggest some NetFlow reporting sw can resolve this issue alone, working with mixed-direction NetFlow v9 exports. However, I can't ascertain if this software exists yet.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...