[c-nsp] more net flow, which interfaces to monitor and in which direction?

[Harold 'Buz' Dale]

That¹s the way we do it.  By getting ingress flows pretty much everywhere
you know where the egress is going and can match up conversations.
Luck,
Buz

----------
buz.dale at usg.edu
Network Support Specialist University System of GA -IT Services.
706-583-2052 or (Toll Free in GA) 888-875-3697
 






On 5/22/14, 9:35 AM, "Scott Granados" <scott at granados-llc.net> wrote:

>So for a little more clarification on this, I would want to monitor say
>ingress on my transit links and then ingress on say my input links from
>my server farm ports and capture the data that way instead of monitoring
>ingress and egress on the same transit only interfaces?  So in other
>words measure inbound from the public internet and then inbound from the
>internal sites and customer pools?
>
>Do I more or less have it?
>
>On May 21, 2014, at 9:58 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
>
>> 
>> On May 22, 2014, at 8:40 AM, CiscoNSP List <cisconsp_list at hotmail.com>
>>wrote:
>> 
>>> Can anyone please explain why?
>> 
>> Another problem with egress NetFlow is that you won't get stats on
>>traffic which is being dropped by ACLs, uRPF, et. al.
>> 
>> You should always use ingress NetFlow unless you have a specific
>>topological issue which precludes its use.
>> 
>> ----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>> 
>>                   Equo ne credite, Teucri.
>> 
>>    		   	  -- Laocoön
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/