NetFlow and sFlow technology both involve checking the packets traversing a router interface to identify the actual traffic. The high volume of packets and the packet rates of traffic in some router links cause the router to use higher CPU and memory during this analysis. When flow analytics need to be analyzed for a device, sampling should be used. In sampling, instead of every packet, one out of N packets (where N is the sampling rate) is captured and sent to NetFlow Analyzer for traffic analytics. Based on the information in that one packet, the traffic pattern for the rest of the packets is constructed.
Various devices are capable of exporting sample-based flows, including sFlow from InMon devices, jFlow from Juniper devices, and IPFIX from Nortel devices. In this blog, we’ll discuss sample-based NetFlow in NetFlow Analyzer.
Sampling is often the same for all interfaces, but it can be adjusted per interface for some Cisco routers. When sampled NetFlow is used, the NetFlow records must be adjusted for the effect of sampling–traffic volumes in particular.
The sampling rate is indicated in a header field of NetFlow version 5 (where the sampling rate is the same for all interfaces) or in the option records of NetFlow version 9 (where the sampling rate can be set per interface). Based on the information about the sampling rate in the header and the actual information on the traffic in the packet, NetFlow Analyzer will show traffic stats for each interface.
NetFlow sampling
Below are the configuration details that need to be applied to the router to export sample-based NetFlow.
Creating a flow sampler
cisco2811_Test(config)#flow-sampler-map rsamp
cisco2811_Test(config-sampler)#mode random one-out-of 10
cisco2811_Test#sh flow-sampler
Sampler : rsamp, id : 1, packets matched : 7502227, mode : random sampling mode
sampling interval is : 10
Attaching the flow sampler to an interface
cisco2811_Test#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco2811_Test(config)#int fastEthernet 0/0
cisco2811_Test(config-if)#no ip flow ingress
cisco2811_Test(config-if)#flow-sampler rsamp
cisco2811_Test#sh run int fa0/0
Building configuration…
Current configuration : 307 bytes
!
interface FastEthernet0/0
bandwidth 1000000
ip address 192.168.118.39 255.255.255.0
ip nbar protocol-discovery
duplex auto
speed auto
flow-sampler rsamp
service-policy input setPolicy
service-policy output cqospolicy
end
Configuring an option template to send sample information
cisco2811_Test#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco2811_Test(config)#ip flow-export template options sampler
You can configure different sampling rates for various interfaces by creating many samplers and attaching interfaces to them. The sample information will be exported along with the NetFlow packets.
How NetFlow Analyzer processes sampled NetFlow
NetFlow Analyzer receives the exported sampled NetFlow v5 or v9 packets and parses them to identify the sampling rate. The information in the packet is read and then multiplied by the sampling rate to calculate the actual traffic stats. NetFlow Analyzer has a built-in capability to identify the sampling rate set on the router interfaces and calculate the traffic pattern.
Manual sample configuration in NetFlow Analyzer
When parsing the sampled NetFlow packets, NetFlow Analyzer looks for the sample rate in the packet to calculate traffic statistics based on that. In some cases, this sampling information is not available in the NetFlow header due to issues in the router level even though sampling was configured in the router. Escalating this issue to a device vendor and fixing the issue takes time; to solve this, NetFlow Analyzer provides an option to manually configure the sampling rate to calculate the traffic stats correctly.
To set the sampling rate for each interface, click Edit Interface Parameter, which is present beside every interface listed in the Interface View.
Download | Interactive demo | Customers | Bandwidth monitoring | Network security | CBQoS monitoring
