I’m at Cisco Live 2011 this week Showing off Scrutinizer v8.5 with JimmyD. It’s great to see Cisco showing off the new Catalyst 4948E NetFlow-Lite ‘NFlite’ exports using Scrutinizer NetFlow Analyzer and the nprobe.
NFlite is a sampling technology using NetFlow v9 where the following are configurable:
- A sample rate of every 32nd packet onwards in multiples of 2 (It also supports 1 in 1 sampling on up to two 1G ports for troubleshooting purposes)
- The number of packets sampled from a population (default = 1)
- The interfaces to sample on
- The length or portion of the packet sampled
- The offset in the input sampled packet
The above reminds me of the proposed PSAMP (i.e. Packet Sampling) standard. I’ll digress on this in another blog.
Anyway, the samples are sent to an nProbe which can handle about 250,000 flows per second. NFlite sends one sample per NetFlow datagram. The nprobe then compiles the data into aggregated traditional NetFlow datagrams and estimates the actual byte count and packet count for a given flow based on the sampling rate and information received in the samples. The orginal source IP address of the switch is ‘spoofed’ by the nprobe. This tactic ensures that the NetFlow / IPFIX collector believes it received the datagrams directly from the switch. This important in case the NetFlow reporting tool needs to SNMP query the switch.
You’ll also notice in the screen shot above the Nexus 7000 NetFlow exports. Scrutinizer NetFlow Monitor is demonstrating the integrated view of NetFlow data from N7k and NetFlow-lite from the 4948E.
Luca Deri, the developer of the nprobe and Cisco have been kind enough to let our NetFlow developers work directly with them to ensure our compatibility with the new NetFlow exports. The nprobe and nbox can be purchased from ravica.com.