[c-nsp] more net flow, which interfaces to monitor and in which direction?

[Eric Van Tol]

> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Scott Granados
> Sent: Wednesday, May 21, 2014 2:32 PM
> 
> Hi,
> First, thanks for all the great input on analyzers and their strong and
> weak points.  It looks like from the comments I'm going to give nfsen a
> shot.
> 	My followup question concerns selection of interfaces and the
> direction to monitor.  While googling I find that almost all examples I
> find are sampling in the input direction only.  Also most of the examples
> out there seem to be quite simple and involve one interface or a few.  

I think this really all depends on what you want to see.  If you want a full profile of where your traffic is headed, I believe it's best to run it as close to the "edge" as possible - both at customer/user-facing ports and at AS boundary ports.  In addition, anything in between that you might want more granular data from, such as service networks hanging off your core.

I could be wrong, but I think the type of metering you can do (ingress/egress) depends on the Netflow version you plan on running.  I believe version 5 can only do ingress metering.  However, if you have ingress metering configured on all edge-facing ports and all core-facing ports, you can expect to get everything you need, because the return traffic from an edge port will be seen as an ingress flow on a core port.  I'm not sure of the benefits you would get by using v9 or IPFIX and doing both ingress/egress metering, as it would seem to me that you're just duplicating flow data at that point.  I think it really all depends on your traffic flow patterns.  That said, if your devices support it, v9 or IPFIX would be the way to go.  

-evt