Blog :: Network Operations :: Security Operations

Cisco 4948E NetFlow-Lite Configuration: PSAMP

Are you looking to configure a Catalyst 4948E to export NetFlow-Lite?  In this post we will share the configuration necessary to make it work.   BUT first, I thought a few of you would also be interested in some background information about the NetFlow-Lite technology.

 

There is a one-one relationship between packets sampled and flows.  For every packet sampled, a separate flow is sent.  Cisco implemented some of the functionality we read about in the proposed standard for packet sampling technology called PSAMP.

The name PSAMP is a contraction of the phrase “Packet Sampling”.  The word “Sampling” captures the idea that only a subset of all packets passing a network element will be selected for reporting.  PSAMP selection operations include random selection, deterministic selection, and deterministic approximations to random selection (Hash-based Selection).

What is also neat about this flow implementation is that it is the first product from Cisco that can be optionally configured to export the data using IPFIX, the emerging standard for NetFlow technology.  The packet sampling on the 4948E can be configured to sample every packet on up to 2 interfaces simultaneously which can’t be done with the proprietary technology called sFlow.  Although I’m not an advocate of sampling every packet, it can be useful if a packet trace is absolutely necessary.   Generally a sample rate of 1 out of every 100 or 1000 is ample.

Here is an example 4948E NetFlow-Lite Configuration:

netflow-lite exporter check  !naming the exporter ‘check’
transport udp 2055  !starting UDP port the NetFlow-lite export will be destined to
 transport udp load-share 16 !port 2055-2070 will be used for load balancing
 template data timeout 60  !specifies template data timeout
 options sampler-table timeout 60 !specifies an option timezout
 source 9.9.9.10  !IP address where NetFlow-lite data is sourced
 destination 9.9.9.1  !IP address of the nProbe aggregator
 export-protocol ipfix    !export format (NetFlow-v9 or IPFIX)
!    
netflow-lite sampler check  !naming the sampler “check”
 packet-rate 32  !sample 1 in every 32 packets
 packet-section size 64 !sample the first 64 bytes from the packet
 packet-offset 0 !the offset from the beginning of the data field is Zero
!             
interface GigabitEthernet1/1   
 no switchport  !specifies whether the port is a L3 port or a switch (L2) port
 ip address 40.40.40.1 255.255.255.0 !ip address of the interface
 netflow-lite monitor 1  !define a netflow-lite monitor
   sampler check  !tie the sampler “check” to monitor 1
   exporter check    !tie the exporter “check” to monitor 1

Once you are exporting the above samples in flows, most companies will need a converter to convert the sampled packet flows to traditional NetFlow or IPFIX.   For this, you will need a nBox which is based on the nProbe developed by Luca Deri.  The nBox in turn will forward the converted data off to the traditional NetFlow or IPFIX collector.  Hopefully you are using our NetFlow Reporting solution that we put together with Cisco.