08-22-2016 07:11 PM - edited 03-08-2019 07:06 AM
Hello, I have a 1921 router which receives multicast traffic.
I am configuring Netflow on it. I understand I should be using the command 'ip flow monitor myMonitor output' on each interface rather then the 'input' variation of that command ?
Also, this router has three sub-interfaces linking up a switch and one WAN port. If I was using 'ip flow monitor myMonitor output' and was only interested in Netflow traffic to/from the WAN link, would I only need to put it on the WAN interface ?
Thank you kindly for any clarification.
08-23-2016 12:58 AM
Also, this router has three sub-interfaces linking up a switch and one WAN port. If I was using 'ip flow monitor myMonitor output' and was only interested in Netflow traffic to/from the WAN link, would I only need to put it on the WAN interface ?
It can be used in both directions we monitor all of our traffic in an out of certain vlans
interface Vlan159
ip address x.x.x.x. 255.255.254.0
ip flow monitor nq input
ip flow monitor nq output
Also, this router has three sub-interfaces linking up a switch and one WAN port. If I was using 'ip flow monitor myMonitor output' and was only interested in Netflow traffic to/from the WAN link, would I only need to put it on the WAN interface ?
If you only want it to collect wan interface only apply it to that ip interface whether sub or physical , it will only collect where its applied
08-23-2016 01:36 AM
Hello Mark, thanks for your reply.
It is just from all my reading, that I thought putting both the input and output command on an interface would cause a doubling up of flow information which therefore gives a false reading.
I thought that if you only used the input command on all interfaces then that would calculate the output flows.
I am just wondering why you needed to include both 'ip flow monitor nq input' and 'ip flow monitor nq output' on your vlan interface ?
Thank you kindly.
08-23-2016 02:42 AM
Hello, I will reply to a few of your comments:
Q1: I thought putting both the input and output command on an interface would cause a doubling up of flow information which therefore gives a false reading
A1: Correct, it does however, flows are exported with a direction element (indicator). 0=ingress metered and 1= egress metered. Your flow collection/reporting solution should use these when reporting to ensure it doesn't over state utilization. So again: Yes exporting both input and output does cause double the flow volume to be exported from the router but, if you have a good reporting solution, it will use the direction element and avoid over stating utilization.
Q2: if you only used the input command on all interfaces then that would calculate the output flows
A2: Correct however, multicast flows that are metered ingress (i.e. inbound) have a destination (i.e. egress) interface of 0. I was told that this is because the router hasn't figured out where to send them yet. As a result, unlike ingress metered unicast flows which do have a destination interface, multicast ingress metered flows will NOT show up when displaying outbound utilization on other interfaces. To fix this, export egress metered flows. Don't worry about overstating utilization because of what I wrote in A1.
Q3: why you needed to include both 'ip flow monitor nq input' and 'ip flow monitor nq output' on your vlan interface ?
A3: You don't need to. You could just export egress (output) metered flows and fix the issue. Sometimes it is wise to export both ingress (input) and egress (output) metered flows to gain insight:
More questions? You might want to read this blog: https://www.plixer.com/blog/netflow/multicast-netflow-exports-with-flexible-netflow/
Call us if you need help.
Mike
08-23-2016 01:22 PM
Thanks guys, this has really cleared it up for me nicely. So just to confirm, in my situation I have a multicast router on WAN interface and three sub-interfaces connecting to my LAN switch.
I will be receiving multicast traffic from the WAN interface feeding in to my LAN.
So, I am enabling 'ip flow monitor nq input' on all of the router interfaces.
Additionally on the router's WAN interface, I am enabling 'ip flow monitor nq output' in order to collect flow information for the multicast traffic coming from the WAN destined for my LAN clients.
Is that what you would recommend ?
Thank you kindly for the assistance.
08-23-2016 01:37 PM
That should work fine. Enable both input and output on all interfaces. If the utilization on any of the interfaces looks overstated, then:
If either the above is a problem, go back to your configuration and only export egress flows (i.e. output) and disable the ingress (i.e. input) metered flows. You can always download Scrutinizer as well to verify the results.
08-23-2016 02:38 PM
Thanks Michael, you say to enable input and output on all interfaces.
I am only going to be receiving multicast from the WAN in to my LAN i.e. not from the LAN to the WAN, therefore would I only need to put both input and output on the WAN interface ?
Thanks kindly,
08-23-2016 03:27 PM
Yes, if you have a good collection and reporting system. Your configuration will be fine. If utilization rates look strange, compare them to SNMP trends in 5 minute intervals. They should line up pretty close.
08-23-2016 02:44 AM
Hi it depends on what your requirements are , we use it for security we are very tight on it and collect everything so we can mao all traffic patterns and also as we use iwan we use liveaction and it needs to be enabled with nbar for that
it can also depend on what your collector can handle and scale in flows
NetFlow v9 Ingress is collected on traffic going into (i.e. inBound) an interface. This is how NetFlow v5 collects data. To figure out outBound traffic volume, ingress must be collected on all interfaces and the reporting software then displays outbound traffic. What goes in must go out, right? Ya, usually.
NetFlow v9 Egress is collected on traffic going out (i.e. outBound) of an interface. Generally, it is used in combination with Ingress, but it doesn’t have to be.
NetFlow v9 supports ingress and egress NetFlow. In most installations, ingress flows enabled on all the interfaces of the switch or router will deliver on the information we need. Here are a few reasons to use Egress Flows:
In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed. Using Ingress flows causes an over stated outbound utilization on the WAN interface. Egress flows are calculated after compression.
In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams. Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.
When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide