9 Replies Latest reply on Jun 21, 2008 5:07 AM by mick

    Net Flow over a WAN link

    pguenther

      We have just purchased the Netflow module. I am going to install in this week but have some concerns on bandwidth. We have a particular problem site that I really would like to see Netflow data on. However the site is located in the Manila, PH. I am in Columbus, OH where the Orion install and DB is as well. I know syslog and SNMP over a tunnel doesn't take up a lot of bandwidth but what about netflow? I should mention that the site in question has approx 400 users. I would start with a single 3750 as the Netflow device. This is their current core switch where all user stacks terminate before heading out the VPN or Internet. Can Netflow traffic overwhelm their internet pipe (10 Mb)?

        • Re: Net Flow over a WAN link
          Andy McBride

          Hi pguenther,


          This is a very good question - shows some good thought and planning. I don't think Netflow will overwhelm your 10Mb link alone, but it will have to share bandwidth (b/w)  with user traffic. I would first look at your peak and average b/w is now and historically and determine how close to full the link is. If you are not running topped out then you will probably be OK. I suggest adding Netflow to only one IF first (sounds like you may not need more than 1 IF) on off peak hours start collecting and monitor the b/w. One strange feature of Netflow, as a technology, is that it does not collect Netflow as a traffic type, so you can't use netflow to measure netflow. 


          Andy

          • Re: Net Flow over a WAN link

            This is just my experience, so caveat emptor...


            If you have the IP route flow cache enabled on the router interfaces, you can get a rough idea of the data rate for NetFlow this way...  To see and estimate of the current number of flows.


            RTR01#sh ip cache flow
            IP packet size distribution (7098M total packets):
               1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
               .001 .445 .157 .028 .028 .028 .095 .012 .007 .004 .003 .001 .002 .002 .001


                512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
               .001 .005 .004 .010 .156 .000 .000 .000 .000 .000 .000


            IP Flow Switching Cache, 278544 bytes
              3522 active, 574 inactive, 571918570 added
              3796396191 ager polls, 0 flow alloc failures
              Active flows timeout in 30 minutes
              Inactive flows timeout in 15 seconds
            IP Sub Flow Cache, 124104 bytes
              3524 active, 1596 inactive, 571925955 added, 571918570 added to flow
              0 alloc failures, 12317 force free
              5 chunks, 12225 chunks added
              last clearing of statistics never
            ................


            lots more stuff from all the flows...


            ................


            With this number of say 3500 flows as a reference, there are about 30 flows in each UDP packet in my case.  It seems to update about 8 UDP flow packets per second so that is ~12Kbytes/second.  a 10Mbps pipe is ~1250Kbytes/second so Cisco's reference estimate of ~1% of the pipe traffic seems spot on...

            • Re: Net Flow over a WAN link

               One point to note, to my knowledge Netflow statistics can not be generated by a 3750. We use a number of them and have fairly recent code and do not see it as an option.

              • Re: Net Flow over a WAN link
                mick

                im afraid I agree with slbrodbeck. 3750 will not support ip route-cache. I have to rely on 6500 cores and the odd 3550-g for data flow