I tried searching doc on cisco and even googled for information on how much bandwidth netflow export uses; however I didn't find any convincing article. I also found lancope.com where they estimate the BW required, but still I was not satisfied.
I would really appreciate if someone can guide me with simple yet affective explanation or say rough guide lines to estimate the bandwidth used by netflow exports...
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
It would depend on what kind of netflow export you're doing, and the number of flows transiting the device.
I don't recall seeing any information to let you easily estimate.
Lanscope.com's estimate might put you in the ball park, but again, much depends on your configuration and your traffic.
yeah this number is so hard to define, because it really is dependent on the flow export timers, active/inactive, how long flows are active or inactive and also very importantly the cache size.
generally netflow aggregators (aka routers) use a cache and start to aggressively age out flows when the cache utilization reaches a certain level.
Also if you have long lived flows and a few of them and a cache size that accomodates it, the export rate is merely defined by the active timer.
If you have a lot of flows, relative smaller cache, you will automatically see more BW util.
If you have a lot of short lived flows, then the inactive timer will come into play here.
to sum it up, a record generally takes 300 bytes (somewhat), if you use v9, then you'll also see template exports.
all in all, netflow export is generally bursty, but very much related to the traffic patterns also.
Since this number is so specific to your scenario, best to do is to set up a qos pmap that matches on your netflow export, and use the qos mib to average the rate on that class to see how it looks like for you.
To pre-estimate something, you'll need at minimum: cache size, number of flows, flow duration (so you can correlate that towards the active vs inactive timers) and the timers itself. That all multiplied against the record size, this just to get a ballpark number.
xander thuijs CCIE#6775
Principal Engineer ASR9000/XR SW group
I should configure some netflow commands on a CISCO Catalyst 6509 but I must know previously the traffic increase on the port channels because they are quite busy and I do not want to saturate them.
The commands to be implemented are:
mls nde sender version 5
mls flow ip interface-full
mls nde interface
mls aging normal 32
mls aging long 64
ip flow-export source loopback 20
ip flow-export version 9
ip flow-export destination 188.8.131.52 2055 !! It brings the flows !! thoughtout the port !! Channels
ip flow-cache timeout inactive 15
ip flow-cache timeout active 1
ip flow-capture ttl
ip route-cache flow
ip route-cache flow
I don't know exactly the number of flows because netflow is not configured yet but I can provide you the output of the "sh ip cache verbose flow" of a similar Catalyst with a similar number of VLANs and load of traffic:
sh ip cache verbose flow
Displaying software-switched flow entries on the MSFC in Module 6:
IP packet size distribution (517757545 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .412 .124 .009 .010 .431 .002 .001 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .001 .001 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
226 active, 3870 inactive, 21874743 added
1256565200 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 66760 bytes
452 active, 1596 inactive, 43749486 added, 21874743 added to flow
0 alloc failures, 0 force free
2 chunks, 410 chunks added
last clearing of statistics never
Can you please provide me an idea of the traffic growth that I can experience in a similar situation?
Let me know if you need further information.
Thank you very much!