Optimizing NetFlow data collection and processing for NetFlow version 9

When configuring NetFlow version 9 you should decide if egress flows should also be processed: This is an important consideration, potentially allowing you to optimize how much data is collected and processed by NAM. However, if egress flows are to be sent to NAM Probe, you must remember to export the DIRECTION field.

Monitoring only ingress flows in NetFlow version 5

In the case of older versions of NetFlow (version 5), where only ingress flows can be produced, you may be forced to monitor a larger volume of traffic, in order to be sure that you have analyzed all of the traffic of interest. As, for example, in a situation where you need to monitor the traffic between a server and a number of clients on the other side of a router. In this case you would need to monitor ingress flows on all of the interfaces, as pictured:

Monitoring only ingress flows in NetFlow version 5
Monitoring only ingress flows in NetFlow version 5

Indiscriminate monitoring of all of the interfaces may, however, force you to analyze a significant amount of other, unrelated traffic – as in this case could occur on interfaces A and B on client side.

Monitoring ingress and egress flows in NetFlow version 9

If you are using NetFlow version 9, you can avoid this problem by limiting your monitoring to ingress and egress traffic on the single interface C at servers side, since both ingress and egress flows can be interpreted by the current version of NAM.

Monitoring ingress and egress flows in NetFlow version 9
Monitoring ingress and egress flows in NetFlow version 9
Caution:

If a flow has no DIRECTION field exported, the assumption is that it is an ingress record. Therefore, if both ingress and egress records are being sent, you need to make sure that the DIRECTION field is exported, else the data count performed by NAM will be doubled.