I tried searching doc on cisco and even googled for information on how much bandwidth netflow export uses; however I didn't find any convincing article. I also found lancope.com where they estimate the BW required, but still I was not satisfied.
I would really appreciate if someone can guide me with simple yet affective explanation or say rough guide lines to estimate the bandwidth used by netflow exports...
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
It would depend on what kind of netflow export you're doing, and the number of flows transiting the device.
I don't recall seeing any information to let you easily estimate.
Lanscope.com's estimate might put you in the ball park, but again, much depends on your configuration and your traffic.
yeah this number is so hard to define, because it really is dependent on the flow export timers, active/inactive, how long flows are active or inactive and also very importantly the cache size.
generally netflow aggregators (aka routers) use a cache and start to aggressively age out flows when the cache utilization reaches a certain level.
Also if you have long lived flows and a few of them and a cache size that accomodates it, the export rate is merely defined by the active timer.
If you have a lot of flows, relative smaller cache, you will automatically see more BW util.
If you have a lot of short lived flows, then the inactive timer will come into play here.
to sum it up, a record generally takes 300 bytes (somewhat), if you use v9, then you'll also see template exports.
all in all, netflow export is generally bursty, but very much related to the traffic patterns also.
Since this number is so specific to your scenario, best to do is to set up a qos pmap that matches on your netflow export, and use the qos mib to average the rate on that class to see how it looks like for you.
To pre-estimate something, you'll need at minimum: cache size, number of flows, flow duration (so you can correlate that towards the active vs inactive timers) and the timers itself. That all multiplied against the record size, this just to get a ballpark number.
I should configure some netflow commands on a CISCO Catalyst 6509 but I must know previously the traffic increase on the port channels because they are quite busy and I do not want to saturate them.
The commands to be implemented are:
mls nde sender version 5
mls flow ip interface-full
mls nde interface
mls aging normal 32
mls aging long 64
ip flow-export source loopback 20
ip flow-export version 9
ip flow-export destination 22.214.171.124 2055 !! It brings the flows !! thoughtout the port !! Channels
ip flow-cache timeout inactive 15
ip flow-cache timeout active 1
ip flow-capture ttl
ip route-cache flow
ip route-cache flow
I don't know exactly the number of flows because netflow is not configured yet but I can provide you the output of the "sh ip cache verbose flow" of a similar Catalyst with a similar number of VLANs and load of traffic: