Switching from Ingress to Egress
Don't forget to read Ingress or Egress NetFlow part 1 first. What if you wake up one morning and announce to your network traffic monitoring team that for several reasons, you want to export both ingress and egress NetFlow on a few of the Cisco Routers. What will the network monitoring gurus say? Hmmmm...... Probably nothing.
The IT staff may not really care about your early morning epiphany however the NetFlow analyzer may have decided to display the data differently. Think about this: for months you have been reporting on outbound data using ingress metered NetFlow or IPFIX and now you want to display outbound utilization using egress metered NetFlow. What about the saved history in the database? All of the history is saved as ingress. Now the direction bit is flipped and you want to display outbound utilization using egress flows.
Fast forward: after a two weeks of collecting egress flows you've decided to run a NetFlow trend on outbound traffic for the last 30 days. This would cross the date line of switching from ingress to egress. What would happened in the front end of the network monitoring and reporting tool? Contact your NetFlow Vendor to find out.
Finally, there are a few different reasons to export egress NetFlow and I've heard ideas from several NetFlow experts that their hardware may end up exporting bidirectional flows in the future as this helps avoid the ingress Vs. egress discussion. Some flows like SonicWALL IPFIX exports already include bidirectional flows where a single flow contains both ingress and egress monitored traffic. Finally, I don't want to leave anyone out so I should mention that other vendors support egress as well (e.g. Adtran).