NetFlow v9 is Key
One of the key features of Cisco's Flexible NetFlow (FnF) and NetFlow v9 is the ability to define exactly which fields are sent from the router to the flow collector. It's possible to reduce the fields sent to a bare minimum in order to reduce the size of each NetFlow record thus reducing the number of NetFlow packets sent from the router to the collector. Smaller NetFlow records result in less network bandwidth consumed by NetFlow traffic.
Flexible NetFlow Field Sizes
The FNF command show flow exporter template displays the size of each field that you've defined in your record. So to check out the size of each available FNF field I created a "jumbo1" record, ran show flow exporter template, and got the output shown in the screenshot at right. The "Size" column shows the number of bytes that each field contributes to the overall size of each NetFlow record. The header shows the total size of each NetFlow record...All fields enabled: .
With a record this size, we would only get about 3 NetFlow records per NetFlow datagram. This record size would probable break a loaded production device so don't try it. Normal NetFlow v5 format gets about 28 records to a single 1500 byte UDP datagram with a size of "53"...
Traditional NetFlow v5:
The bare minimum fields needed for StealthWatch operation are highlighted yellow in the screenshot at right. If we eliminate all but these most basic fields the record size changes to...
Minimum fields:
This minimum set gives us about a 30% savings over traditional NetFlow v5. The minimum record configuration looks like...
flow record minimum1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Keep in mind that by enabling this minimum set of fields you will lose a fair number of reporting features within the StealthWatch NetFlow Collection System.
About NetFlow Cache Timers
It's important to note that you can also reduce the amount of NetFlow bandwidth through manipulation of cache timers but we don't normally recommend it. 60 seconds is the magic number for the Active Timeout. If you have plenty of memory you can consider upping the Inactive Timeout to 30 or even 45 seconds but be careful of cache size. I'll blog on "Tuning NetFlow cache timers" later.
See this post for more discussion on configuring Flexible NetFlow for the StealthWatch System.
This Cisco document provides detailed descriptions on each FNF field.
And here's a reference to Cisco's RFC 3954 - "Cisco Systems NetFlow Services Export Version 9". It's a bit dated but includes a great deal of info on NetFlow v9's inner workings and discusses the fields further.
Comments