Submit a ticketCall us
Home > Success Center > Netflow Traffic Analyzer (NTA) > Theory of Duplicate Flows

Theory of Duplicate Flows

Table of contents
Created by Brian O'Donovan, last modified by Brian Hansen on Nov 16, 2017

Views: 241 Votes: 2 Revisions: 8

Overview

If your device is not configured properly, data can be duplicated.

Environment

All NTA versions

Detail

Explaining duplicate flows

 

Due to the way the NTA application currently processes data we recommend to only have "ip flow ingress" enabled on the interfaces.

 

When a flow is received it contains the interface index numbers for both the Input and the Output interfaces.

NTA parses this out and applies the Ingress traffic to the Input interface and the Egress to the Output interface.

So depending on the configuration flows can look the same to NTA even though the flow is coming from two different interfaces.

 

For example:

 

A device with two interfaces with the following config:

Serial0/0/0

Ip flow ingress

ip flow egress

 

Gig0/0

IP flow ingress

ip flow egress

 

When a flow in coming into the serial interface the Ingress command will tag the serial in the Ingress direction and the Gig0/0 as the Egress direction.

When the same flow exits the Gig0/0 interface the Egress command is going to tag the Gig0/0 as the Egress and the Serial as the Ingress.

When these two flows are exported they will look the same to the Netflow collector

The rules of thumb are:

  • When only monitoring one interface on the device configure both “ip flow ingress and ip flow egress” on the interface
  • When monitoring multiple interfaces then only configure “ip flow ingress” on all interfaces.

 

 

 

Issue: Theory of Duplicate Flows diagram

Theory_on_Duplicate_flows.png

 

 

Solution: Theory of Duplicate Flows Resolved

Theory_on_Duplicate_flows_Resolved.png

Last modified

Tags

Classifications

Public