I'm reading up on Netflow and playing around in PacketTracer. Currently I'm using ip flow ingress/egress only on my Routers gigabitEthernet. How much overhead is required, is Netflow supposed to be measured on all interfaces, even on switch trunklines?
How to Enable NetFlow on All Interfaces
monitoring
Related Solutions
NetFlow is a protocol for exporting aggregated IP flow totals. As such it is well suited to IP traffic accounting on Internet routers. With Netflow V9 (AKA IPFIX it can look into Layer 2 traffic as well)
sFlow is a general purpose network traffic measurement system technology. sFlow is designed to be embedded in any network device and to provide continuous statistics on any protocol (L2, L3, L4, and up to L7), so that all traffic throughout a network can be accurately characterized and monitored. These statistics are essential for congestion control, troubleshooting, security surveillance, network planning etc. They can also be used for IP accounting purposes.
Netflow mirrors all traffic, and places a load on the CPU when utilised.
SFlow is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector. sFlow is built into the ASIC, and places minimal load on the CPU.
Netflow supported by Cisco, Juniper, Alcatel Lucent, Huawei, Enterasys, Nortel, VMWare
sFlow supported by Alaxala, Alcatel Lucent, Allied Telesis, Arista Networks, Brocade, Cisco, Dell, D-Link, Enterasys, Extreme, Fortinet, Hewlett-Packard, Hitachi, Huawei, IBM, Juniper, LG-Ericsson, Mellanox, MRV, NEC, Netgear, Proxim Wireless, Quanta Computer, Vyatta, ZTE and ZyXEL (see sFlow link)
Generally speaking you can install MRTG or any network graphing and historical data software which can pull interface statistics via SNMP. A nice and easy free software for this is CactiEZ. It can be easily run out of the box on an old server or mounted and installed easily on a VM.
However, since you're using a Cisco router, you can enable NetFlow on your interfaces and export that information to a Netflow collector/software such as Solarwinds Traffic Analyzer. This allows you to use the router to classify the types of traffic traversing that interface and report that back to the collector. You can then get better statistical information on what kind of traffic is being utilized and where its coming and going to as well.
Best Answer
When you only have one Router, then you are fine monitoring both directions or both interfaces. If you monitor both directions and both interfaces, you will be monitoring duplicated flows.
The decision of where and what direction to monitor becomes a bit more ionvolved when more Router's are involved. Take this simple example:
A packet going from Host X to Host Y will cross four total interfaces:
If you were capturing at every single one of these points, you would get the same flow data, duplicated four times. Which is obviously not very useful.
The simple solution is to just pick one of these to monitor, but then what of the return traffic? Imagine a packet going from Host Y to Host X, that packet would also cross four possible (what I'll call) Netflow capture points:
Obviously, capturing on all four of these points would also create 4x duplication of the traffic. So capturing on one of these would be sufficient.
A common practice is to deploy netflow on the ingress interfaces of all your 'access' routers. Which in the (again, simplistic) example above would mean setting up a capture at these points:
This accounts for picking from one of the four netflow capture points to cover the forward traffic (host X to Host Y) as well as the return traffic (Host Y to Host X), without capturing duplicated traffic in the process.
That said most production networks are significantly more complex (and rightfully so!) than what is pictured above. But you can still apply the same concept to determine the best place to set up your Netflow captures with the goal of capturing both forward and return traffic, and not duplicating any packets.