Why use Egress NetFlow

The topic of ingress or egress NetFlow has come up more than once at our company.  The benefits of egress over ingress flows are outlined in the above link.  It is important to understand that NetFlow v5 only supports ingress NetFlow where by the flows are collected as traffic comes into an interface and not as they go out.  The logic was that if NetFlow is metered (i.e. collected) on all interfaces of the router, then outbound traffic on a specific interface could be displayed using the flows collected from the other interfaces.

Ingress vs. Egress

Some customers want to know why they would ever implement egress NetFlow. This is one time were the topic of ingress vs. egress is important.  When looking at a flow, the awareness as to whether or not a flow was metered ingress or egress is determined by looking at a single direction bit.  If both are being metered on the same interface, the network monitoring solution had better know when to use which and NOT use both when displaying utilization on an interface.  In other words, if both egress and ingress are being metered on the same interface, ingress should be used for showing inbound utilization and egress should be used for showing outbound utilization.

If the above clearly makes sense to you, then lets tackle the next issue.  What if you have configured the router to meter netflow ingress and for months you were happy.  Then one day you found out about egress netflow and decided to export those as well.  How will your network monitor handle this change? Part 2 of the blog will explain that.