Flexible Netflow and ingress vs. egress monitoring

Venison Mogambi · ‎09-14-2017

I've been playing around with Flexible Netlfow and I'm confused about the ingress vs. egress direction when configure flow monitors. I set up an output monitor like this:

flow monitor Monitor_Customer_Traffic
record netflow ipv4 original-output

So the "output" at the end of that indicates that egress traffic should be captured, correct?
But then when I go to apply to traffic to an interface, I get both an input and output option:

R1(config-subif)#ip flow monitor Monitor_Customer_Traffic ?
input Apply Flow Monitor on input traffic
multicast Apply Flow Monitor on multicast traffic
output Apply Flow Monitor on output traffic

So what's the difference between specifying an output flow when configuring the monitor and specifying output direction when applying the flow monitor to the interface? And what happens if I specify output when I configure the monitor but then apply it to the interface inbound?

Any feedback is appreciated.

Mark Malone · ‎09-14-2017

I believe when you use that it just aggregates all the commands so it will include say all the below but you still need to state the direction under the ip interface to collect it but it will collect all the below with just that one command for egress

NetFlow IPv4 Original Output Predefined Record

The Flexible NetFlow "NetFlow IPv4 original output" predefined record is used to emulate the original NetFlow Egress NetFlow Accounting feature that was released in Cisco IOS Release 12.3(11)T. The key and nonkey fields and the counters for the Flexible NetFlow "NetFlow IPv4 original output" predefined record are shown in the table below.

Table 2 Key and Nonkey Fields Used by the Flexible NetFlow NetFlow IPv4 Original Output Predefined Record

Field

Key or Nonkey Field

Definition

IP ToS

Key

Value in the ToS field.

IP Protocol

Key

Value in the IP protocol field.

IP Source Address

Key

IP source address.

IP Destination Address

Key

IP destination address.

Transport Source Port

Key

Value of the transport layer source port field.

Transport Destination Port

Key

Value of the transport layer destination port field.

Interface Output

Key

Interface on which the traffic is transmitted.

Flow Sampler ID

Key

ID number of the flow sampler (if flow sampling is enabled).

IP Source AS

Nonkey

Source autonomous system number.

IP Destination AS

Nonkey

Destination autonomous system number.

IP Next Hop Address

Nonkey

IP address of the next hop.

IP Source Mask

Nonkey

Mask for the IP source address.

IP Destination Mask

Nonkey

Mask for the IP destination address.

TCP Flags

Nonkey

Value in the TCP flag field.

Interface Input

Nonkey

Interface on which the traffic is received.

Counter Bytes

Nonkey

Number of bytes seen in the flow.

Counter Packets

Nonkey

Number of packets seen in the flow.

Time Stamp System Uptime First

Nonkey

System uptime (time, in milliseconds, since this device was first booted) when the first packet was switched.

Time Stamp System Uptime Last

Nonkey

System uptime (time, in milliseconds, since this device was first booted) when the last packet was switched.