1

I am planning to deploy a NetFlow server (using NfSen/NfDump) for harvesting data from Cisco devices;

Are there standard calculations or guidelines I can use to calculate my server requirements, specifically I need to plan for storage. Is there a way of knowing how much data I will collect per day for example, given N flows?

Lets say one device has 10k flows per day, this is typically XYZ MBs, so I can scale this up?

If not, how many flows are you guys and girls recording per day, and how much data is this generating? Hopefully we can generate an estimate from everyone else's figures!

P.S. If it makes a difference, I'll be collecting from <= 50 devices max (non more than 50Mbps each).

jwbensley
  • 4,122
  • 11
  • 57
  • 89
  • 3
    Hint: enable flow export on a typical device and check with `sh ip flow export` how many flows are exported in a day/week/month. – Oliver May 29 '12 at 16:02
  • Not a answer, but check out flowviewer. Flowviewer will help visualize data. For a 1.5m mpls site, 2mb per hour. LAN with lots of server traffic 50-100mb per hour. – mrlayance May 31 '12 at 16:26

1 Answers1

3

This can vary -massively- and has almost no correlation with the amount of bandwidth you're seeing on an interface. A single 50M flow (which would account for one of your devices) could be in constant use and would, as a result, generate flows only when you hit the natural timeouts (so every 5 mins or so - 288 flows a day). At the same time a DoS attack could be generating 50Mbps of 64 byte packets, each with a different src/dst L3 and L4 tuple and you'd be staring down 1M flows per second.

Obviously these are extreme examples but the point is that the nature of the network and the type of traffic you're carrying will make a big difference. The other variables are the Netflow version - old style V1/V5/V7 vs V9, the latter of which has capabilities for aggregation, summarization and customization. The other potential point is the use of Netflow sampling (on the higher end / SP side of Cisco).

What I can advise is that scaling Netflow is usually pretty linear. Your best bet by far would be just gathering some empirical data about what's being pushed right now and sizing your infrastructure to accommodate a healthy margin over that. I can tell you that I've been in enterprise environments on the smaller side of medium that were pulling from a similar number of devices and were seeing ~120-150 million flows per week.

I can tell you that in many environments where Netflow is being pulled from a similar number of devices in fairly diverse enterprise networks (on the smaller side of medium) that I've been in shops where I was

rnxrx
  • 8,103
  • 3
  • 20
  • 30
  • The only way I can really gain what I require is to set up a NetFlow server and start logging data, on a test box. So this is exactly what I have done, you are correct. Thanks :) – jwbensley Jun 07 '12 at 08:49