Downloads |
 Feedback
|
Table Of Contents
Prerequisites for Random Sampled NetFlow
Restrictions for Random Sampled NetFlow
Information About Random Sampled NetFlow
How to Configure Random Sampled NetFlow
Defining a NetFlow Sampler Map
Applying a NetFlow Sampler Map to an Interface
Configuration Examples for Random Sampled NetFlow
Defining a NetFlow Sampler Map: Example
Applying a NetFlow Sampler Map to an Interface: Example
mode (flow sampler configuration)
Random Sampled NetFlow
NetFlow provides highly granular per-flow traffic statistics in a Cisco router. A flow is a unidirectional set of packets that arrive at the router on the same subinterface, have the same source and destination IP addresses, Layer 4 protocol, TCP/UDP source and destination ports, and the same type of service (ToS) byte in the IP headers. The router accumulates NetFlow statistics in a NetFlow cache and can export them to an external device (such as the Cisco CNS NetFlow Collection Engine) for further processing.
Random Sampled NetFlow provides NetFlow data for a subset of traffic in a Cisco router by processing only one randomly selected packet out of n sequential packets (n is a user-configurable parameter). Packets are sampled as they arrive (before any NetFlow cache entries are made for those packets). Statistical traffic sampling substantially reduces consumption of router resources (especially CPU resources) while providing valuable NetFlow data.
The main uses of Random Sampled NetFlow are traffic engineering, capacity planning, and applications where full NetFlow is not needed for an accurate view of network traffic.
Note
NetFlow's ability to sample packets was first provided by a feature named Sampled NetFlow. The methodology that the Sampled NetFlow feature uses is deterministic sampling, which selects every nth packet for NetFlow processing on a per-interface basis. For example, if you set the sampling rate to 1 out of 100 packets, then Sampled NetFlow samples the 1st, 101st, 201st, 301st, and so on packets. Sampled NetFlow does not allow random sampling and thus can make statistics inaccurate when traffic arrives in fixed patterns. Random Sampled NetFlow is more statistically accurate than Sampled NetFlow.
History for Random Sampled NetFlow Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
•
Prerequisites for Random Sampled NetFlow
Before you can configure the Random Sampled NetFlow feature, you must configure
•
•
•
Restrictions for Random Sampled NetFlow
If full Netflow is enabled on an interface, it takes precedence over Random Sampled NetFlow (which will thus have no effect). This means that you should disable full NetFlow on an interface before enabling Random Sampled NetFlow on that interface.
In contrast with full NetFlow, enabling Random Sampled NetFlow on a physical interface does not automatically enable Random Sampled NetFlow on subinterfaces—you must explicitly configure it on subinterfaces. Also, disabling Random Sampled NetFlow on a physical interface (or a subinterface) does not enable full NetFlow. This restriction prevents the transition to full NetFlow from overwhelming the physical interface (or subinterface); you must explicitly enable full NetFlow if desired.
If you enable Random Sampled NetFlow with Version 5 data export, sampler options templates are not exported, and sampler IDs are exported in the least significant three bits of the last byte of the Version 5 record pad field.
Information About Random Sampled NetFlow
To configure Random Sampled NetFlow, you must understand the following concepts:
Random Sampling Mode
The sampling mode determines the algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode that Random Sampled NetFlow uses, incoming packets are randomly selected so that one out of each n sequential packets is selected on average for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th, 120th, 199th, 302nd, and so on packets. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you can configure.
Subinterface Support
Random Sampled NetFlow is supported at the subinterface level. You can configure Random Sampled NetFlow per subinterface as well as per physical interface. Traffic is collected only on the subinterfaces on which Random Sampled NetFlow is configured. As with full NetFlow, enabling Random Sampled NetFlow on a physical interface does not enable Random Sampled NetFlow on subinterfaces automatically—you must explicitly configure it on the subinterfaces.
NetFlow Sampler
A NetFlow sampler map defines a set of properties (such as the sampling rate and NetFlow sampler name) for NetFlow sampling. Each NetFlow sampler map can be applied to one or many subinterfaces as well as physical interfaces. You can define up to eight NetFlow sampler maps.
For example, you can create a NetFlow sampler map named mysampler1 with the following properties: random sampling mode and a sampling rate of 1 out of 100 packets. This NetFlow sampler map can be applied to any number of subinterfaces, each of which would refer to mysampler1 to perform NetFlow sampling. Traffic from these subinterfaces is merged from a sampling point of view. This introduces even more "randomness" than with random per-subinterface NetFlow sampling, but statistically provides the same sampling rate of 1 out of 100 packets for each participating subinterface.
The sampling in Random Sampled NetFlow is done by NetFlow samplers. A NetFlow sampler is defined as an instance of a NetFlow sampler map that has been applied to a physical interface or subinterface. If full NetFlow is configured on a physical interface, it overrides Random Sampled NetFlow on all subinterfaces of this physical interface.
Export Format
Random Sampled NetFlow is supported in the Version 5 and Version 9 NetFlow export formats.
Memory Impact
This feature allows a smaller NetFlow cache than full NetFlow, because it significantly reduces the number of flows. This feature requires an insignificant amount of memory for each configured NetFlow sampler.
Effect on Interface Traffic
This feature substantially reduces the impact of NetFlow data export on interface traffic. For example, a sampling rate of 1 out of 100 packets reduces the export of NetFlow data by about 50 percent.
How to Configure Random Sampled NetFlow
This section contains the following configuration tasks:
•
•
•
•
Defining a NetFlow Sampler Map
This section shows how to define a NetFlow sampler map.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Applying a NetFlow Sampler Map to an Interface
This section shows how to apply a NetFlow sampler map to a physical interface (or a subinterface) to create a NetFlow sampler.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Verifying the Configuration
This section shows how to verify successful configuration of Random Sampled NetFlow.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Troubleshooting Tips
Use the debug flow-sampler command to display debugging output for Random Sampled NetFlow.
Configuration Examples for Random Sampled NetFlow
This section provides the following configuration examples:
•
•
Defining a NetFlow Sampler Map: Example
The following example shows how to define a NetFlow sampler map named mysampler1:
Router> enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# flow-sampler-map mysampler1Router(config-sampler)# mode random one-out-of 100Router(config-sampler)#Router(config-sampler)# endRouter#3w5d: %SYS-5-CONFIG_I: Configured from console by consoleApplying a NetFlow Sampler Map to an Interface: Example
The following example shows how to enable CEF switching and apply a NetFlow sampler map named mysampler1 to Ethernet interface 1 to create a NetFlow sampler on that interface:
Router> enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip cefRouter(config)# interface ethernet 1Router(config-if)# flow-sampler mysampler1Router(config-if)#Router(config-if)# endRouter#3w5d:%SYS-5-CONFIG_I: Configured from console by consoleAdditional References
The following sections provide references related to the Random Sampled NetFlow feature.
•
•
Related Documents
Standards
MIBs
•
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents modified commands only.
•
debug flow-sampler
To enable debugging output for NetFlow sampler activity, use the debug flow-sampler command in privileged EXEC mode. To disable debugging output for NetFlow sampler activity, use the no form of this command.
debug flow-sampler {class-based | events | ipc | match}
no debug flow-sampler {class-based | events | ipc | match}
Syntax Description
Command Default
Debugging output for NetFlow sampler activity is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, you should use debug commands during periods of lower network traffic and fewer users. Debugging during these periods reducess the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug flow-sampler events command:
Router# debug flow-sampler eventsFlow sampler events debugging is onRouter# configure terminalRouter(config# no flow-sampler mysampler2Router(config)#5d00h: Flow: Sampler mysampler2 detached from FastEthernet0/15d00h: Flow: Sampler mysampler2 deletedThe following is sample output from the debug flow-sampler match command:
Router# debug flow-sampler matchFlow sampler match debugging is onRouter#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Router#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Router#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Router#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Table 2 describes the significant fields shown in the display.
Related Commands
flow-sampler
To apply a flow sampler map for random sampled NetFlow accounting to an interface, use the flow-sampler command in interface configuration mode. To remove a flow sampler map for random sampled NetFlow accounting from an interface, use the no form of this command.
flow-sampler sampler-map-name [egress]
no flow-sampler sampler-map-name [egress]
Syntax Description
sampler-map-name
Name of the flow sampler map to apply to the interface.
egress
(Optional) Specifies that the sampler map is to be applied to egress traffic.
Command Default
Flow sampler maps for NetFlow accounting are not applied to interfaces by default. If flow sampler maps for NetFlow accounting are applied to an interface, they are applied for ingress (incoming) traffic unless otherwise specified with the egress keyword.
Command Modes
Interface configuration
Subinterface configurationCommand History
Usage Guidelines
You must create and enable the random sampler NetFlow map for random sampled NetFlow accounting using the flow-sampler-map and mode commands before you can use the flow-sampler command to apply the random sampler NetFlow map to an interface.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable ingress NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface, or subinterface, if you want to enable random sampled NetFlow accounting on the interface, or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip
Tip
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-mapThe following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 1/0Router(config-if)# no ip flow egressRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-map egressThe following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-samplerSampler : my-map, id : 1, packets matched : 7, mode : random sampling modesampling interval is : 100Related Commands
flow-sampler-map
To define a flow sampler map for random sampled NetFlow accounting, use the flow-sampler-map command in global configuration mode. To remove a flow sampler map for random sampled NetFlow accounting use the no form of this command.
flow-sampler-map sampler-map-name
no flow-sampler-map sampler-map-name
Syntax Description
Command Default
No flow sampler maps for random sampled NetFlow accounting are defined.
Command Modes
Global configuration
Command History
Usage Guidelines
Random sampled NetFlow accounting does not start sampling traffic until (1) the random sampler map is activated through the use of the mode command and (2) the sampler map has been applied to an interface through the use of the flow-sampler command.
Random Sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface or subinterface, if you want to enable random sampled NetFlow accounting on that interface or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip
Tip
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-mapThe following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 1/0Router(config-if)# no ip flow egressRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-map egressThe following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-samplerSampler : my-map, id : 1, packets matched : 7, mode : random sampling modesampling interval is : 100Related Commandssampling interval is : 100
ip flow-export
To enable the export of information in NetFlow cache entries, use the ip flow-export command in global configuration mode. To disable the export of information, use the no form of this command.
ip flow-export {destination ip-address udp-port | source {ip-address | interface-name} | version {1 | [{5 | 9} [origin-as | peer-as] [bgp-nexthop]]} | template {refresh-rate packets | timeout-rate minutes} [options {export-stats | refresh-rate packets | sampler | timeout-rate minutes}]}
no ip flow-export {destination ip-address udp-port | source {ip-address | interface-name} | version {1 | [{5 | 9} [origin-as | peer-as] [bgp-nexthop]]} | template {refresh-rate packets | timeout-rate minutes} [options {export-stats | refresh-rate packets | sampler | timeout-rate minutes}]}
Syntax Description
Command Default
Export of information in NetFlow cache entries is disabled. You can specify origin AS accounting or peer AS export accounting, but not both.
Command Modes
Global configuration
Command History
Usage Guidelines
A NetFlow cache entry contains a lot of information. When NetFlow data collection is enabled with the ip route-cache flow command, you can use the ip flow-export command to configure the router to export the flow cache entries to a destination (such as a system running the NetFlow Collection Engine) when flows expire. This configuration can be useful for traffic analysis, monitoring, attack mitigation, and billing.
Version 5 and version 9 formats include the source and destination AS addresses and source and destination prefix masks. Also, version 9 might include BGP next hop information.
For more information on the version 5 data format, refer to the Cisco IOS Switching Services Configuration Guide. For more information on version 9 data format, refer to the Cisco IOS NetFlow Version 9 Flow-Record Format white paper.
Examples
The following example shows how to configure the router to export the NetFlow cache entry to UDP port 2048 on the workstation at 134.22.23.7 when the flow expires using version 5 format and includes the peer AS information:
Router(config)# ip flow-export destination 134.22.23.7 2048 version 5 peer-asRelated Commands
mode (flow sampler configuration)
To specify a packet interval for random sampled NetFlow accounting and enable the flow sampler map, use the mode command in NetFlow flow sampler configuration mode.
mode random one-out-of packet-interval
Syntax Description
random
Specifies that sampling uses the random mode.
one-out-of packet-interval
Specifies the packet interval (1 out of every n packets). For n, you can specify from 1 to 65535 packets.
Command Default
The random sampling mode and packet sampling interval are undefined.
Command Modes
NetFlow flow sampler configuration
Command History
Usage Guidelines
The mode random one-out-of command does not have a no format to remove it from the configuration. To disable NetFlow random sampling and packet interval you must remove the flow sampler map that you enabled with the mode random one-out-of command.
If you want to change the value that you entered for the packet-interval argument repeat the mode random one-out-of packet-interval command using the new value for packet-interval.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. In order to run random sampled NetFlow accounting, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip
Tip
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-mapThe following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 1/0Router(config-if)# no ip flow egressRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-map egressThe following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-samplerSampler : my-map, id : 1, packets matched : 7, mode : random sampling modesampling interval is : 100Related Commands
show flow-sampler
To display the status and statistics for random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler), use the show flow-sampler command in user EXEC or privileged EXEC mode.
show flow-sampler [sampler-map-name]
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Examples
The following is sample output from the show flow-sampler command for all flow samplers:
Router> show flow-samplerSampler : mysampler1, id : 1, packets matched : 10, mode : random sampling modesampling interval is : 100Sampler : myflowsampler2, id : 2, packets matched : 5, mode : random sampling modesampling interval is : 200The following is sample output from the show flow-sampler command for a flow sampler named mysampler1:
Router> show flow-sampler mysampler1Sampler : mysampler1, id : 1, packets matched : 0, mode : random sampling modesampling interval is : 100Table 2 describes the fields shown in the displays.
Related Commands
Glossary
BGP—Border Gateway Protocol. Interdomain routing protocol that replaces Exterior Border Gateway Protocol (EBGP). BGP exchanges reachability information with other BGP systems. It is defined by RFC 1163.
BGP next hop—IP address of the next hop to be used to reach a certain destination.
CEF—Cisco Express Forwarding. Layer 3 IP switching technology that optimizes network performance and scalability for networks with large and dynamic traffic patterns.
data flowset—A collection of data records that are grouped together in an export packet.
data record—Provides information about an IP flow that exists on the device that produced an export packet. Each group of data records (meaning each data flowset) references a previously transmitted template ID, which can be used to parse the data within the records.
dCEF—Distributed Cisco Express Forwarding. Type of CEF switching in which line cards (such as VIP line cards) maintain an identical copy of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the route/switch processor of involvement in the switching operation.
export packet—Type of packet built by a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, a NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information on IP flows).
fast switching—Cisco feature in which a route cache is used to expedite packet switching through a router.
flow—Unidirectional stream of packets between a given source and destination—each defined by a network-layer IP address and transport-layer source and destination port numbers.
flowset—A collection of flow records that follow the packet header in an export packet. A flowset contains information that must be parsed and interpreted by the NetFlow Collection Engine device. There are two different types of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, and both template and data flowsets can be mixed in the same export packet.
NetFlow—A Cisco IOS acceleration and accounting feature that maintains per-flow information.
NetFlow Aggregation—A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.
NetFlow Collection Engine (formerly NetFlow FlowCollector)—Cisco application that is used with NetFlow on Cisco routers and Catalyst 5000 series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.
NetFlow sampler—NetFlow sampler map that has been applied to at least one physical interface or subinterface.
NetFlow sampler map—Defines a set of properties (such as the sampling rate) for NetFlow sampling.
NetFlow v9—NetFlow export format Version 9. A flexible and extensible means to carry NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
options data record—Special type of data record (which is based on an options template) with a reserved template ID that provides information about the NetFlow process itself.
options template—Type of template record used to communicate the format of data related to the NetFlow process.
packet header—First part of an export packet. It provides basic information about the packet (such as the NetFlow version, number of records contained in the packet, and sequence numbering) so that lost packets can be detected.
template flowset—Collection of one or more template records that are grouped in an export packet.
template ID—Unique number that distinguishes a template record from other template records produced by the same export device. A NetFlow Collection Engine application that receives export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the NetFlow Collection Engine should also cache the address of the export device that produced the template ID in order to enforce uniqueness.
template record—Defines the format of subsequent data records that might be received in current or future export packets. A template record within an export packet does not necessarily indicate the format of data records within that same packet. A NetFlow Collection Engine application must cache any template records received and then parse any data records it encounters by locating the appropriate template record in the cache.
ToS—type of service byte. Second byte in the IP header that indicates the desired quality of service for a particular datagram.
Note
© 2003-2005 Cisco Systems, Inc. All rights reserved.
