NAM Probe considerations for NetFlow monitoring

The NAM Probe is not limited by the number of devices from which it can receive flows, but by the total volume of flows. To estimate the bandwidth required to carry flows, use the NetFlow version and the flows per second (fps) value for each of the transmitting devices.

Total volume of flows

The total volume of flows, expressed in fps, is the most common metric for NetFlow. It is a measurement of the NetFlow records being generated by a router, switch, or other NetFlow-enabled device every second.

The NAM Probe Flow Collector can receive flows from different physical devices with multiple interfaces. While the number of generated flows depends on the specific environment being measured, the issue generally is not the number of devices exporting to a single collector, but rather the total volume of flows. Field testing shows that the NAM Probe Flow Collector can handle more than 150,000 fps. Note that this figure pertains only to the NAM Probe's ability to process flows. Other limitations resulting from the number of sessions stored within the NAM Server are still applicable.

Bandwidth

Bandwidth usage is the bandwidth used for the transportation of flow data from the monitored NetFlow-enabled devices to the flow collector.

Because of the need to actively use SNMP polling and terminate the export sessions, the NAM Probe Flow Collector cannot use the sniffing interfaces to transport flow data. Instead, the communication interface is normally used for this purpose. The interface's primary role is to provide access to the NAM Probe for configuration and for data retrieval by report servers. However, the NetFlow traffic volume is usually low enough for that single interface to accommodate both roles. A dedicated interface is always better, but typically not necessary.

To determine the potential bandwidth usage and understand whether a separate interface is required, query each device to determine the flow-per-second rate within your environment. For example, if the environment is Cisco, you could issue a show IP cache flow command. This will return a number of statistics, including the devices' flow-per-second rate. For syntax of the command refer to the vendor documentation.

When you know the flow-per-second rate, use it to determine the bandwidth usage. In a NetFlow v5 environment, a 1,500-byte UDP frame can carry approximately 30 flow records, and (for NetFlow version 9) 34 records can be carried in a 1500-byte frame. Apply one of the following formulas to estimate of the bandwidth to be used:

For NetFlow v5

(fps/30) * 1500 * 8/1000 = Bandwidth usage in Kbps

For NetFlow v9

(fps/34) * 1500 * 8/1000 = Bandwidth usage in Kbps

For example, a NetFlow v9 environment with two devices, one with ten interfaces with NetFlow enabled and the other with two interfaces NetFlow enabled, generates a combined fps rate of 15786 fps. The bandwidth used will be:

(15786/34) * 1500 * 8/1000 = 5,571 Kbps