Hello Mark, thanks for your reply.

It is just from all my reading, that I thought putting both the input and output command on an interface would cause a doubling up of flow information which therefore gives a false reading.

I thought that if you only used the input command on all interfaces then that would calculate the output flows.

I am just wondering why you needed to include both 'ip flow monitor nq input' and 'ip flow monitor nq output' on your vlan interface ?

Thank you kindly.

Hello,  I will reply to a few of your comments:

Q1: I thought putting both the input and output command on an interface would cause a doubling up of flow information which therefore gives a false reading

A1: Correct, it does however, flows are exported with a direction element (indicator).  0=ingress metered and 1= egress metered.  Your flow collection/reporting solution should use these when reporting to ensure it doesn't over state utilization.  So again: Yes exporting both input and output does cause double the flow volume to be exported from the router but, if you have a good reporting solution, it will use the direction element and avoid over stating utilization. 

Q2: if you only used the input command on all interfaces then that would calculate the output flows

A2: Correct however, multicast flows that are metered ingress (i.e. inbound) have a destination (i.e. egress) interface of 0.  I was told that this is because the router hasn't figured out where to send them yet.  As a result, unlike ingress metered unicast flows which do have a destination interface, multicast ingress metered flows will NOT show up when displaying outbound utilization on other interfaces.  To fix this, export egress metered flows.  Don't worry about overstating utilization because of what I wrote in A1. 

Q3: why you needed to include both 'ip flow monitor nq input' and 'ip flow monitor nq output' on your vlan interface ?

A3: You don't need to.  You could just export egress (output) metered flows and fix the issue.  Sometimes it is wise to export both ingress (input) and egress (output) metered flows to gain insight:

• if the router is changing the DSCP value before it is forwarded on
• to verify that the router is compressing certain traffic before it is forwarding on

More questions?  You might want to read this blog: https://www.plixer.com/blog/netflow/multicast-netflow-exports-with-flexible-netflow/  

Call us if you need help. 

Mike

Thanks guys, this has really cleared it up for me nicely. So just to confirm, in my situation I have a multicast router on WAN interface and three sub-interfaces connecting to my LAN switch.

I will be receiving multicast traffic from the WAN interface feeding in to my LAN.

So, I am enabling 'ip flow monitor nq input' on all of the router interfaces. 

Additionally on the router's WAN interface, I am enabling 'ip flow monitor nq output' in order to collect flow information for the multicast traffic coming from the WAN destined for my LAN clients.

Is that what you would recommend ?

Thank you kindly for the assistance.

That should work fine.  Enable both input and output on all interfaces. If the utilization on any of the interfaces looks overstated, then:

• make sure you are exporting the direction in your flexible netflow configuration
• make sure your collector is only using egress metered flows when showing outbound traffic.  BTW: Most ignore this field! 

If either the above is a problem, go back to your configuration and only export egress flows (i.e. output) and disable the ingress (i.e. input) metered flows.  You can always download Scrutinizer as well to verify the results. 

Thanks Michael, you say to enable input and output on all interfaces.

I am only going to be receiving multicast from the WAN in to my LAN i.e. not from the LAN to the WAN, therefore would I only need to put both input and output on the WAN interface ?

Thanks kindly,

Yes, if you have a good collection and reporting system.  Your configuration will be fine. If utilization rates look strange, compare them to SNMP trends in 5 minute intervals.  They should line up pretty close. 

Hi it depends on what your requirements are , we use it for security we are very tight on it and collect everything so we can mao all traffic patterns and also as we use iwan we use liveaction and it needs to be enabled with nbar for that

it can also depend on what your collector can handle and scale in flows

Ingress vs. Egress Differences

NetFlow v9 Ingress is collected on traffic going into (i.e. inBound) an interface. This is how NetFlow v5 collects data. To figure out outBound traffic volume, ingress must be collected on all interfaces and the reporting software then displays outbound traffic. What goes in must go out, right? Ya, usually.

NetFlow v9 Egress is collected on traffic going out (i.e. outBound) of an interface. Generally, it is used in combination with Ingress, but it doesn’t have to be.

NetFlow v9 supports ingress and egress NetFlow. In most installations, ingress flows enabled on all the interfaces of the switch or router will deliver on the information we need. Here are a few reasons to use Egress Flows:

In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed. Using Ingress flows causes an over stated outbound utilization on the WAN interface. Egress flows are calculated after compression.

In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams. Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.

When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.