cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1459
Views
1
Helpful
7
Replies

NetFlow configuration

iores
Level 3
Level 3

Hi,

I am confused with this:

  • If you apply a flow monitor in the input direction:
    • Use the match keyword and use the input interface as a key field.
    • Use the collect keyword and use the output interface as a collect field. This field will be present in the exported records but with a value of 0.

So, it matches the input interface but it collects at output interface. Can someone, please, clarify this?

1 Accepted Solution

Accepted Solutions

M02@rt37
VIP
VIP

Hello @iores,

When a flow monitor is applied in the input direction on a network device, it is used to collect information about incoming traffic to the device. When configuring the flow monitor, the "match" keyword is used to specify the criteria that incoming traffic must meet in order to be monitored. In this case, the "input interface" is used as a key field, which means that traffic will be monitored based on the interface on which it is received.

The "collect" keyword is used to specify the fields that will be included in the exported flow records. In this case, the "output interface" is specified as a collect field. This means that information about the output interface (i.e. the interface on which the traffic will be forwarded) will be included in the flow records, even though the traffic has not yet been forwarded. However, the value of the output interface field in the flow records will be 0 since the traffic has not yet been forwarded.

To summarize, when a flow monitor is applied in the input direction with the "input interface" specified as a key field and the "output interface" specified as a collect field, it will monitor incoming traffic based on the interface on which it is received and include information about the output interface in the flow records, even though the traffic has not yet been forwarded.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

7 Replies 7

M02@rt37
VIP
VIP

Hello @iores,

When a flow monitor is applied in the input direction on a network device, it is used to collect information about incoming traffic to the device. When configuring the flow monitor, the "match" keyword is used to specify the criteria that incoming traffic must meet in order to be monitored. In this case, the "input interface" is used as a key field, which means that traffic will be monitored based on the interface on which it is received.

The "collect" keyword is used to specify the fields that will be included in the exported flow records. In this case, the "output interface" is specified as a collect field. This means that information about the output interface (i.e. the interface on which the traffic will be forwarded) will be included in the flow records, even though the traffic has not yet been forwarded. However, the value of the output interface field in the flow records will be 0 since the traffic has not yet been forwarded.

To summarize, when a flow monitor is applied in the input direction with the "input interface" specified as a key field and the "output interface" specified as a collect field, it will monitor incoming traffic based on the interface on which it is received and include information about the output interface in the flow records, even though the traffic has not yet been forwarded.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 That makes sense, thanks. One more thing.

Would you measure ingress or egress traffic (or both) on a WAN interface? I have read that general recimmendation is to measure ingress only but this will give us only traffic from WAN to LAN, right?

What if I want to measure trafficfrom LAN to WAN, should I apply the flow monitor on the same interface but in egress direction?

@iores,

The decision to measure ingress or egress traffic (or both) on a WAN interface depends on what you are trying to achieve with the monitoring. If you're monitoring traffic on a WAN interface to gain insight into the traffic that is entering your network from the WAN, then measuring ingress traffic would be appropriate. In this case, you would apply the flow monitor to the WAN interface in the ingress direction.

However, if you are also interested in measuring traffic that is leaving your network and going out to the WAN, then you would need to measure egress traffic as well. In this case, you would apply the flow monitor to the WAN interface in both the ingress and egress directions.

To measure traffic from LAN to WAN, you would apply the flow monitor on the LAN interface in the egress direction. This will capture traffic as it leaves the LAN and enters the WAN.

It's important to note that measuring traffic in both directions can increase the load on the network device, so it's recommended to use caution when monitoring egress traffic to ensure that it doesn't impact network performance. Additionally, when monitoring both ingress and egress traffic, it's important to ensure that the flow records are correlated properly to avoid any confusion in data analysis.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 

I am not sure I understood you correctly. In order to monitor traffic going from to the WAN, should the flow monitor be applied egress on a WAN interface or on a LAN interface?

M02@rt37 Please see this example . Would this be correct to measure download and upload traffic?

@iores,

Yes, it's seem to be correct. To measure download and upload traffic using a flow monitor, you would typically apply the flow monitor to both the ingress and egress interfaces of the device you want to monitor.

In the example he still uses "the same record & exporter for simplicity but you can use different record in different monitor": that's rigth!

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.