How to configure devices and not duplicate NetFlow

How to configure devices and not duplicate NetFlow

This post gives a short explanation of NetFlow duplication problem, why it is important and how to overcome it. Network admins think about their data and if it is actually correct and deduplicated. And rightfully so! This should not be on their list of concerns - NetFlow analyzer should include out-of-the-box solution to this problem. Unfortunately, this is often not the case because exporting and processing NetFlow data depends on the network and its complexity.

In general, there are two ways duplication can occur:

  1. Configuration duplication - by configuring both ingress and egress direction export on the same device (router or switch)

  2. Exporters duplication - by exporting same flow on different devices

We will focus for the moment on the duplication caused by bidirectional configuration (1), and in which situations is better to use incoming (In/Ingress) or outgoing (Out/Egress) flow on the interface for collecting NetFlow traffic.
Duplication caused by many exporters will be explained in another blog post "How to solve duplicated NetFlow caused by multiple exporters".

Understanding configuration duplication 

On the above figure you can see that interfaces Gi1/1 and Gi1/2 are set to collect NetFlow traffic, Gi1/1 in IN direction and Gi1/2 in OUT direction. 
This example shows that a flow traveling from Host A to Host B will be collected and exported twice to NetFlow server, while a flow traveling from Host B to Host A will not be matched and exported.
The result is a false NetFlow traffic: double amount of flows for A to B direction, and zero flows for B to A direction. 
Note that it is very important that all interfaces on a single device are configured to collect flow in only one direction, IN or OUT.

Correct configuration of devices

Here, both interface Gi1/1 and interface Gi1/2 are set to collect the NetFlow traffic in IN direction.
This time, a flow traveling from Host A to Host B will be collected only once, and a flow traveling from Host B to Host A will be collected as well.
Now, NetFlow traffic will be correct and none of the charts in TopN > Exporters will have duplicated data.

Deciding whether to use Ingress or Egress

You must be aware that Ingress/Egress support depends on device's software version and supervisor module (if existing). For this information, please check your vendor's release notes.

Ingress export enabled on all the interfaces of a device will, in general, deliver all necessary information. It is specially recommended in the following situations:

  1. NetFlow v9 supports Ingress and Egress, but NetFlow v5 only supports Ingress flows. If your device is only supported by NetFlow v5, your flows should necessarily be Ingress. 

  2. In addition, Ingress export provides monitoring of Blocked traffic (traffic sent to Interface Out 0).

Egress should be considered in these situations:

  1. Some routers (e.g. Cisco WAAS, Riverbed, etc.) have option to compress flows, so the Out traffic will be reduced compared with In traffic. Egress export provides more precise information on traffic transferred in the network.

  2. When multicast flows are sent, Ingress exported flows have a destination interface 0 because the router doesn’t know interface Out before processing. Egress exported flows deliver the destination interfaces, and, in addition, if the flow is headed for multiple interfaces it will be exported as multiple flows.

Now you just need to establish wheter to use Ingress or Egress and hopefully this article will make your monitoring process a lot easier

2 Ways of Exporting Without Netflow Capable Device
Top 5 DevOps commands for PostgreSQL

Related Posts

By accepting you will be accessing a service provided by a third-party external to


Mailing and Visiting Address:
Soneco d.o.o.
Makenzijeva 24/VI, 11000 Belgrade, Serbia
Phone: +381.11.6356319
Fax: +381.11.2455210 |


linkedin facebook facebook