Router Overhead When Enabling NetFlow

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Router Overhead When Enabling NetFlow

Are you concerned about the router overhead when enabling NetFlow?  You should be if the router already has a busy CPU.  Make sure you trend the CPU utilization on a busy router before you try enabling NetFlow or IPFIX.  In most cases enabling these network traffic monitoring exports won’t impact performance however, they could however on an already over worked appliance. 

In most vendor implementations, flow technology is implemented in software. This results in only a small performance hit in well-written flow programs. In earlier versions of NetFlow (e.g. NetFlow v1), a busy router could be brought to its knees by enabling NetFlow.  Enabling NetFlow on the Cisco Catalyst 4500, 6500, 7600, 10000 and 12000 routers can result in the following CPU increase:

# of Active Flow Cache Entries

Additional CPU Utilization

10000

<4%

45000

<12%

65000

<16%

CAUTION: enabling conventional software implementations of NetFlow on very busy routers manufactured by most vendors can in some cases cause unacceptable performance issues.  In these cases, reducing the flow tuple or implementing flow sampling are options to consider. 

Cisco Systems, Enterasys, Extreme Networks and Dell Sonicwall develop firewalls, routers and switches that support NetFlow and IPFIX in hardware with no impact to the CPU.  SonicWALL exports IPFIX with over a dozen different templates and claims less than a 1% impact on CPU utilization. Other vendors like Enterasys have implemented unsampled NetFlow capable ASICs that are capable of exporting line rate flow exports.  With flow volumes exceeding 500,000 flows per second, the performance problem often moves from the exporter to the collector as no single flow collection appliance on the market today can handle this flow rate and distributed NetFlow solutions can’t always help when all the flows are coming from one exporter.

Distributed NetFlow collectors allow administrators to break up the collection of flows into groups with each collector receiving from a set of routers.  Because the configuration of hundreds of routers is often involved, a NetFlow replicator (aka NetFlow duplicator) is often implemented.  The Flow Replicator allows administrators to configure the routers to send flows to a single appliance.  The Flow Replicator then splits up the flows to different collectors.  This configuration allows administrators to balance the collection loads. 

netflow-replicator.png
Collection vendors like to tout their collection rates in the multiple million flows per second however, the architecture to support this flow rate is solely dependent on a multitude of individual collectors each limited to 100K-200K flows per second.  To reduce the volume, flow sampling or PSAMP is considered.  Shortening the size of the flow tuple can also lead to less flows exported.  The problem with many hardware implementations of NetFlow and IPFIX is that modifications to the tuple are not possible. Cisco and Plixer are the only vendors I know off that support this practice. 



Related Articles to 'Router Overhead When Enabling NetFlow'
cisco-performance-monitoring-with-scrutinizer.jpg
nimsoft service desk
Inbound Using Egress
Patrick Sweeney SonicWALL
Feedback for Router Overhead When Enabling NetFlow

Leave a comment

Featured Events