Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3084
Views
5
Helpful
2
Replies

NetFlow on All Interfaces

ahamadfaiz
Level 1
Level 1

‎11-11-2013 12:07 AM

Hi All,

We are using ManageEngine NetFlow Analyzer to monitor our network traffic.

We have a few VLAN interfaces on the switch where we have enabled flow-export ingress and egress. We can see traffic that is passing between the VLANs on which flow-export has been configured. However, we have on interface that is connected to remote locations. We have not enabled flow-export on this interface. The idea was that, we have enabled ingress and egress flow-export, and the remote locations connect to VLANs where flow-export is already enabled, we must get all traffic from there. But we cannot see traffic from the remote locations, but we can see traffic from inside network to remote locations.

After checking ManageEngine documentation, I see that we have to enable netflow on all interfaces to get accurate report. Can anyone let me know why this is required. We already have ingress and egress flow-export, and we must be getting all traffic. Please suggest.

Thanks in advance,

Faiz

Labels:
2 Replies 2

jakewilson
Level 1
Level 1

‎11-11-2013 03:01 AM

Hello Faiz,

As you probably know, NetFlow by default is only collected ingress.  The ingress flows collected on all interfaces are used to display the outbound traffic on a selected interface.  I don't know about ManageEngine but, in some NetFlow solutions, interfaces without NetFlow/IPFIX enabled will not be displayed regardless of whethor or not flows are going out of it.

Regarding ingress/egress being enabled on the same interface.  If you are using flexible NetFlow to configure the export, make sure the "flow direction" is exported in the template. The commands to export both look like this:

ip flow monitor andrew-mon input

ip flow monitor andrew-mon output

Here is a good article on enabling ingress and egress NetFlow. Realize that just because you export both ingress and egress on a single interface and you export the direction, this doesn't mean the NetFlow solution will report on the data with a behavior that you would expect. 

Ingress and egress flows are exported at the same time with only one difference "flow direction".  For this reason, this element must be included in the template to ensure that utilization isn't overstated in the flow report.  Again, this of course depends on your reporting solution.  

Many vendors can't deal with a mixture of ingress and egress flows being enabled in a seemingly random fashion on the same device.  In other words, they expect all ingress or all egress.  Only a few vendors can handle a hybrid approach.

I hope this helps. 

Jake

0 Helpful

ahamadfaiz
Level 1
Level 1
In response to jakewilson

‎11-12-2013 12:27 AM

HI Jake,

Thank you for the reply.

Well, I do not have much expertise on switches. So, i did not completely understand the explanation in the provided link.

From the explanation I understand that the configuration is for felxible NetFlow. We have currently enabled flow export on the interfaces that we are interested on. Do we need to change that and enable NBAR..?

Regards,

Faiz

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents