cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5759
Views
0
Helpful
3
Replies

How much bandwidth netflow export uses

Experts,

 

I tried searching doc on cisco and even googled for information on how much bandwidth netflow export uses; however I didn't find any convincing article. I also found lancope.com where they estimate the BW required, but still I was not satisfied.

I would really appreciate if someone can guide me with simple yet affective explanation or say rough guide lines to estimate the bandwidth used by netflow exports...

 

Regards,

Smitesh

3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"It depends."

It would depend on what kind of netflow export you're doing, and the number of flows transiting the device.

I don't recall seeing any information to let you easily estimate. 

Lanscope.com's estimate might put you in the ball park, but again, much depends on your configuration and your traffic.

yeah this number is so hard to define, because it really is dependent on the flow export timers, active/inactive, how long flows are active or inactive and also very importantly the cache size.

generally netflow aggregators (aka routers) use a cache and start to aggressively age out flows when the cache utilization reaches a certain level.

Also if you have long lived flows and a few of them and a cache size that accomodates it, the export rate is merely defined by the active timer.

If you have a lot of flows, relative smaller cache, you will automatically see more BW util.

If you have a lot of short lived flows, then the inactive timer will come into play here.

to sum it up, a record generally takes 300 bytes (somewhat), if you use v9, then you'll also see template exports.

all in all, netflow export is generally bursty, but very much related to the traffic patterns also.

Since this number is so specific to your scenario, best to do is to set up a qos pmap that matches on your netflow export, and use the qos mib to average the rate on that class to see how it looks like for you.

To pre-estimate something, you'll need at minimum: cache size, number of flows, flow duration (so you can correlate that towards the active vs inactive timers) and the timers itself. That all multiplied against the record size, this just to get a ballpark number.

cheers

xander

----

xander thuijs CCIE#6775

Principal Engineer ASR9000/XR SW group

Hi Alexander,

I should configure some netflow commands on a CISCO Catalyst 6509 but I must know previously the traffic increase on the port channels because they are quite busy and I do not want to saturate them.

The commands to be implemented are: 

mls netflow

mls nde sender version 5

mls flow ip interface-full

mls nde interface

mls aging normal 32

mls aging long 64

!

ip flow-export source loopback 20

ip flow-export version 9

ip flow-export destination 145.230.205.85 2055 !! It brings the flows                                                !! thoughtout the port                                                !! Channels

ip flow-cache timeout inactive 15         

ip flow-cache timeout active 1

ip flow-capture ttl        

!

 

 

interface Vlan879 

ip route-cache flow

 

.................

.................

 

interface Vlan4024

ip route-cache flow

 

I don't know exactly the number of flows because netflow is not configured yet but I can provide you the output of the  "sh ip cache verbose flow" of a similar Catalyst with a similar number of VLANs and load of traffic:

sh ip cache verbose flow

-------------------------------------------------------------------------------

 

Displaying software-switched flow entries on the MSFC in Module 6:

 

IP packet size distribution (517757545 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .412 .124 .009 .010 .431 .002 .001 .000 .000 .000 .000 .000 .000 .000

 

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .000 .000 .000 .001 .001 .000 .000 .000 .000 .000 .000

 

IP Flow Switching Cache, 278544 bytes

  226 active, 3870 inactive, 21874743 added

  1256565200 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 66760 bytes

  452 active, 1596 inactive, 43749486 added, 21874743 added to flow

  0 alloc failures, 0 force free

  2 chunks, 410 chunks added

  last clearing of statistics never

 

 Can you please provide me an idea of the traffic growth that I can experience in a similar situation?

Let me know if you need further information.

Thank you very much!

Kind regards, 

Silvio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco