The network traffic reports produced by the NetFlow analyzer need to be intelligent when dealing with ingress and egress flows. Ingress Flow with IPv6 (the same with IPv4)Įgress Flow with IPv6 (the same with IPv4) If the field is a 1, then it is an egress collected flow. If the field in the NetFlow v9 packet is a 0, then it is an ingress collected flow. It’s pretty slick, but it requires that the NetFlow collector understand what is known as the flow “Direction”.
If the router is exporting both ingress and egress and the NetFlow monitor can report on both without overstating utilization, you can see how much of each flow is being compressed. GASP!!! This is because it was calculated using ingress flows.
Ingress and regress software#
If only using ingress flows, the NetFlow reporting software will show 100 bytes outbound, even if it was compressed to 50 bytes. Traffic compression with Cisco NetFlow means that what comes in 100 bytes might go out as 50 bytes. Why collect with egress, if ingress worked so well with NetFlow v5? Because hardware such as WAN optimizers compress data. Generally, it is used in combination with Ingress, but it doesn’t have to be. NetFlow v9 Egress is collected on traffic going out (i.e. What goes in must go out, right? Ya, usually. To figure out outBound traffic volume, ingress must be collected on all interfaces and the reporting software then displays outbound traffic. NetFlow v9 Ingress is collected on traffic going into (i.e. IPFIX probably renamed it because when talking about egress flows, IN_BYTES is sort of misleading. One annoying area where IPFIX and NetFlow v9 differ is in the labeling of fields: NetFlow v9 has ‘IN_BYTES’ and IPFIX labels the same field ‘octetDeltaCount’. Other vendors, such as Adtran and Enterasys, support NetFlow v9. Nortel supports IPFIX, as does/did Avici, which is now Soapstone Networks, Inc. Many collectors that work with NetFlow v9 will puke when they receive IPFIX. Although they are very similar, don’t let any company tell you they are exactly the same. In theory, ingress and egress should work the same in IPFIX, which is based on NetFlow v9, but they are certainly different. NOTE: Egress is only available in Cisco NetFlow v9 and not NetFlow v5. ingress might be interesting to some readers. I’m doing some more work lately with Wireshark and Scrutinizer v7.