What are the recommended Ingress and Egress Netflow/IPFIX settings for devices sending data to NFA?

NFA

Netflow version 5:
1. "ip flow ingress" only on all active interfaces (Active meaning, interfaces that have an IP address and are UP)


2. "ip flow egress" only on all active interfaces (Active meaning, interfaces that have an IP address and are UP)



Netflow version 9/IPFIX
"ip flow ingress" and "ip flow egress" on only the interfaces interfaces you care to monitor in NFA.


Note: ip route-cache flow is the same as ip flow ingress, except that it can be configured on a parent interface and will automatically apply to sub interfaces. ip flow ingress has to be manually applied to sub interfaces (and to the parent interface if it is IP-enabled and sending/receiving traffic).



Additional Information:
Here are some examples of how NFA handles these different options.

Using this example:

We have a conversation between hosts A and B through interfaces 1 and 2

A ------>1 ==ROUTER== 2 ------> B   
A <------1 ==ROUTER== 2 <------ B  
Ingress ONLY across all interfaces.

We store the IN flows for both interfaces and estimate the OUT traffic. This type of calculation uses the IN flow we received on an interface that had traffic that left another interface. We calculate the OUT on that other interface using this IN flow.

I.e. interface 2's OUT traffic is calculated based on interface 1's IN traffic, and vice versa.

In the A to B conversation the traffic goes into 1, then from 1 to 2 then leaves the device.

The IN flow we see on 2 shows it came from 1, so we use the IN from 1 that has 2 as its destination to calculate the OUT on 2.

Since ingress is set on all interfaces on the device, we can calculate in both directions for any interface using this method.

Egress ONLY on all interfaces.

We store the OUT flow for both interfaces and estimate the IN traffic. This type of calculation uses the OUT flow we received on each interface that had traffic that entered another interface. We calculate the IN on that other interface using this OUT flow.

I.e. interface 2's IN traffic is calculated based on interface 1's OUT traffic, and vice versa.

In the A to B conversation the traffic goes into 1, then from 1 to 2 then leaves the device.

The OUT flow see on 1 shows it went to 2, so we then use the OUT from 1 that has 2 as its destination to calculate the IN on 2.

Since egress is set on all interfaces on the device, we can calculate in both directions for any interface using this method.

4. Ingress/Egress on specific interfaces (requires Netflow Version 9/IPFIX).

The harvester sees IN and OUT flows from more than one interface from one device, and puts the device into 'Ingress/Egress mode'.

We now detect that this router is in Ingress/Egress mode, and will only store the IN and OUT traffic directly for all interfaces. No calculation is done.

Some things to note about ingress/egress mode:

We will continue to do this going forward for all flows for that device. The harvester keeps the state of the router in memory, if configuration changes are made to a router configuration the harvester service will need to be restarted.

Ingress/Egress mode only works with v9 flows, as v5 has no direction, so all flows are treated by the harvester as ingress if you try this using v5.

This means that all ingress flows are counted towards IN traffic and all egress flows are counted towards OUT traffic for each interface, and the in/out flows are matched up to help prevent double-counting. There is no calculation. If you are using netflow version 5 with Ingress and Egress on all interfaces, then this could result in double-counting with some IOS versions, since the harvester will only put the device into ingress/egress mode if netflow version 9 is used and it gets data in both directions from multiple interfaces. If version 9 is not used in that setup, then it will continue to do calculations as in configuration #1 and #2 above. Since it is calculating in both directions and also getting flows in both directions without being in ingress/egress mode, you get double counting.