Exporting traffic data in NetFlow takes some bandwidth that can be pre-computed using various methods. The bandwidth consumed by NetFlow (or its variants like IPFIX, sFlow, jFlow) during export is relatively small, but it depends critically on several factors.
Short Answer
For a typical enterprise network, NetFlow exports consume between 0.1% and 2% of the monitored link’s bandwidth. It is designed to be very lightweight.
How to Estimate Bandwidth?
You can estimate the export bandwidth with this calculation:
Bandwidth (bps) = Flows per Second × Bytes per Flow Record × 8 bits/byte
Example 1 (Conservative Enterprise Core):
- A busy router sees 10,000 new flows per second.
- Using NetFlow v9 with an average of 100 bytes per flow record.
- 10,000 flows/sec * 100 bytes/flow * 8 bits/byte = 8,000,000 bps (8 Mbps).
- If this router has a 10 Gbps (10,000 Mbps) uplink, the overhead is 8/10000 = 0.08%.
Example 2 (Aggressive/High-Granularity Export):
- A security-focused export with layer 7 data sees 25,000 flows/sec.
- Larger flow records at 150 bytes each.
- 25,000 * 150 * 8 = 30,000,000 bps (30 Mbps).
- On a 1 Gbps link, that’s 30/1000 = 3% overhead (still manageable, but noticeable).
Real-World Scenarios & Rule of Thumb
| Scenario | Estimated Flows/sec | Est. Export Bandwidth | Notes |
|---|---|---|---|
| Small/Medium Business | 500 – 2,000 | 400 kbps – 1.6 Mbps | < 0.5% of a 1 Gbps link. Negligible. |
| Large Enterprise Core | 5,000 – 20,000 | 4 Mbps – 16 Mbps | ~0.1% of a 10 Gbps link. Very low. |
| Large Data Center/ISP Edge | 50,000 – 200,000+ | 40 Mbps – 160+ Mbps | Can be 1-3% of a 10 Gbps link. Must be planned for. |
| Internet Exchange (IX) Router | 1,000,000+ | 800 Mbps+ | Significant traffic. Requires dedicated collector ports. |
Important Considerations
- Burstiness: Flow export is not smooth. When the cache fills or timeouts hit, many records are sent at once.
- UDP is Unreliable: The protocol is UDP-based. If the export path is congested, flow records will be lost. Always monitor for drops on both the exporter and collector.
- Sampling (sFlow vs. NetFlow): If you use sFlow (which is packet-sampled) or enable sampled NetFlow, the export bandwidth is dramatically reduced (often by a factor of 100-1000x), at the cost of granular accuracy.
- Collector Capacity: The bandwidth concern is often less about the network and more about ensuring your collector server has enough NIC and processing power to ingest the flow datagrams, especially during traffic spikes.
Conclusion: For the vast majority of enterprise networks, NetFlow export bandwidth is trivial. In massive-scale environments (ISP, hyperscale DC), it requires careful planning but is still a tiny fraction (<5%) of the monitored traffic. The operational benefit of network visibility far outweighs the minimal bandwidth cost.