It is time to discuss NetFlow sampling.  Today, NetFlow collectors need to be able to capture and save tens of thousands of flows per second if not hundreds of thousands of flows per second. Sometimes however, 100% of the flow data is not necessary.

flexible netflow setup

 

High volume flow exports may also consume too much bandwidth when sent across the network. Did you know that a sampling rate of 1 out of 100 packets reduces the export of NetFlow data by about 50 percent. This blog will cover how to setup NetFlow Sampling on:

  • Cisco IOS NetFlow Traffic Sampling
  • Cisco IOS Flexible Netflow sampling
  • Cisco 12000 NetFlow Sampling
  • Nexus 7000 Sampling via Flexible NetFlow
  • 7200 routers and Cisco 6500 series MSFC Sampling Configuration
  • Catalyst 4948E NetFlow-Lite Packet Sampling

Cisco IOS NetFlow Traffic Sampling
When using IOS, 1 out of X packets are sampled as they arrive (before any NetFlow cache entries are made for those packets).  Here are a few NetFlow sampling nuggets:

  • NetFlow v5 or v9
  • Standard Netflow and Flexible Netflow options are available.
  • Must turn off full netflow else sampling won’t work. You must use separate monitors via Flexible Netflow.
  • Each NetFlow sampler map can be applied to one or many subinterfaces as well as physical interfaces.
  • You can define up to eight NetFlow sampler maps

Commands:

Router# config t
Router(config)# flow-sampler-map mysampler1
Router(config-sampler)# mode random one-out-of 100

Router(config)# interface ethernet 1
Router(config-if)# flow-sampler mysampler1
Router(config-if)# ip route cache cef

 

Cisco IOS Flexible Netflow Sampling

Flexible NetFlow can also be used for sampling traffic.  The example below assumes that you have already created a FnF configuration with a monitor named FnF-Sampler-MON
Commands:

Router# config t
Router(config)#sampler mysampler-1
Router(config-sampler)# description Sample at 20%
Router(config-sampler)# mode random 1 out-of 5
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip flow monitor FnF-Sampler-MON sampler mysampler-1 input
Router(config-if)#exit

Note: You CANNOT use a Flexible Netflow monitor to sample if it is being used as a non-sampling monitor elsewhere.

 

12000 NetFlow Sampling

NetFlow Sampling on the 12000 can be configured to sample 1 out of every X packets.  Here are a few details:

  • Collects and exports NetFlow data for a sample of the traffic passing through the router, instead of the entire traffic
  • Only for the 12000 router (GSR) so far
  • Sampled NetFlow exports the same information as full NetFlow
  • The sampling interval is fixed and not an average
  • Sampling advantages: CPU reduced and possible reduced exported Data
  • Sampling disadvantage: billing is difficult

Commands:

Router(config)#ip flow-sampling-mode packet-interval <10-16382>
Router(config-if)#ip route-cache flow sampled [ input | output ]

Show Command:

Router#show ip flow sampling
Flow sampling is enabled
‘Packet Interval’ sampling mode is configured.
1 out of every 100 packets is being sampled.

 

Nexus 7000 Sampling via Flexible NetFlow

NetFlow sampling on the Nexus 7000 can also be configured to sample 1 out of every X packets.

Configure sampler:

Switch# config t
Switch(config)# sampler SampleTest
switch(config-flow-sampler)# mode 1 out-of 100

Configure sampled monitor on interface:

Switch(config)# interface Vlan612
Switch(config-if)# ip flow monitor [ MONITOR NAME ] input SampleTest
Switch(config-if)# exit

Show Command:

switch(config-flow-sampler)# show sampler

Further details on the Nexus 7000 sampled NetFlow configuration can be found on Cisco’s web site.

 

Cisco 7200 routers and Cisco 6500 series MSFCs Sampling Configuration
There are 2 types of NetFlow sampling that can be done with the Cisco 7200 and 6500 series. The technology used here is not packet sampling in the same sense as sFlow. Rather, here we are talking about “flow” sampling.
“time-based” and “packet-based”.  Packet-based NetFlow sampling uses one of the two following methods to select flows for sampling and export (taken from Cisco documentation):

  • The number of packets in the expired flow exceeds the sampling rate: If in a interval of X – where X is a value in the range of 8000-16000 (inclusive), a flow has a greater number of packets than the value configured for the sampling-rate, the flow is sampled (selected) and then exported.
  • The number of packets in the expired flow is less than the sampling rate: If in a interval of X – where X is a value in the range of 8000-16000 (inclusive), a flow has a smaller number of packets than the value configured for the sampling-rate, the packet count for the flow is added to one of eight buckets based on the number of packets in the flow. The eight bucket sizes are 1/8th increments of the sampling rate. The packet count for a flow that contains a quantity of packets that is 0-1/8th of the sampling rate is assigned to the first bucket. The packet count for a flow that contains a quantity of packets that is 1/8th-2/8th of the sampling rate is assigned to the second bucket. And so on. When adding the packet count for a flow to a bucket causes the counter for the bucket to exceed the sampling rate, the last flow for which the counters were added to the bucket is sampled and exported. The bucket counter is changed to 0 and the process of increasing the bucket counter is started over. This method ensures that some flows for which the packet count never exceeds the sampling rate are selected for sampling and exported. On the 6500, sampling is configured to be 1 out of every x flows and can be based on Time or Packet.

Packets: Collect all flows with < or > X packets in Y milliseconds

!configure globally
Router(config) #  mls sampling [ time-based | packet-based } rate [interval]
Router(config)# interface {vlan vlan_ID | type slot/port}
!Enable flow sampling on a layer 3 interface
Router(config-if)# mls netflow sampling

Time: Collect all flows within the first X milliseconds of every Y milliseconds

Router(config)# mls sampling time-based rate
Router(config)# interface {vlan vlan_ID | type slot/port}
Router(config-if)# mls netflow sampling

 

Catalyst 4948E NetFlow-Lite Packet Sampling
Requires that the 4948E be running CatOS version 15.0(2)FG. This switch provides hardware based packet capture with less than 10% load on CPU. This is the first example of Cisco’s support for IPFIX and the proposed PSAMP technology.

Commands:

netflow-lite exporter check  ;naming the exporter ‘check’
cos 0         ;Layer 2 Class-Of-Service
dscp 60      ;DSCP value of the netflow-lite datagrams
ttl 254        ;time to live value
transport udp 1000    ;UDP port the Netflow-lite will travel on
template data timeout 60   ;template timeout in seconds for the sampled packets
options sampler-table timeout 60  ;Export information about samplers
;intervals and sample modes as an option table
options interface-table timeout 60 ;template timeout in seconds for interface option template
source 1.1.1.1     ;IP the flows are coming from
destination 1.1.1.3    ;IP address of the nProbe aggregator
export-protocol netflow-v9  ;NetFlow-v9 or IPFIX
!

netflow-lite sampler check  ;naming the sampler ‘check’
packet-rate 32    ;sample 1 in every 32 packets
packet-section size 64   ;sample the first 64 bytes from the offset
packet-offset 0    ;the off set from the beginning of the data field is 0
!

interface GigabitEthernet1/1
no switchport
ip address 40.40.40.1 255.255.255.0
netflow-lite monitor 1   ;naming the monitor ‘1’
sampler check    ;tie the sampler ‘check’ to monitor ‘1’
exporter check    ;tie the exporter ‘check’ to monitor ‘1’

! Enabling on a VLAN
Vlan config 2
netflow-lite monitor 1   ;naming the monitor ‘1’
sampler check    ;tie the sampler ‘check’ to monitor ‘1’
exporter check    ;tie the exporter ‘check’ to monitor ‘1’

Why is the “options sampler-table” command important? This gives the analysis engine sample rate and method information in order to compute statistically likely traffic rates.  If this information was not used, the reporting engine would simply have to display the data as unsampled an would be significantly lower than the actual bandwidth.

Summary
Due to sampling, a netflow or ipfix collector receiving a small percentage of the traffic will not properly represent total through put.  An sFlow analyzer can get around this by using the counters in conjunction with the IP samples.   Conceivably, instead of statistical prediction, you could use a flexible netflow monitor containing src/dst interface key fields with packet and byte counters to create a small cache. I haven’t tested this yet but, my feeling is that this would essentially do the same thing as sflow with a small resource footprint. Right?

 

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply