What is Sampled Netflow or Sampling in NFA?

Document ID : KB000011085
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

This article discusses Sampled Netflow. It answers the following questions: 

What is Sampled Netflow? 

How does the sampling interval (rate) get exported within NetFlow? 

How do you enable ReporterAnalyzer to support sampled NetFlow? 

How does ReporterAnalyzer handle the sampling interval (rate)? 

What if the Sampling Interval is wrong? 

Answer:

What is Sampled NetFlow? 

The Sampled NetFlow feature was developed to alleviate the performance penalty incurred by turning on NetFlow on Cisco 12000 series Internet routers. In order to scale to higher forwarding rates, NetFlow will now allow the user to sample one out of every "x" IP packets being forwarded. These sample packets will be accounted for in the NetFlow cache on the router. The user can configure the "x" interval. This feature will substantially decrease the CPU utilization needed to account for NetFlow packets by allowing a majority of the packets to be switched faster because they will not need to go through additional NetFlow processing. On an interface, Sampled NetFlow allows you to collect NetFlow statistics for a subset of incoming (ingress) IPv4 traffic on the interface, selecting only one out of "N" sequential packets, where "N" is a configurable parameter. These sampling packets will substantially decrease the CPU utilization needed to account for NetFlow packets by allowing the majority of the packets to be switched faster because they will not need to go through additional NetFlow processing. 

 

How does the sampling interval (rate) get exported within NetFlow? 

For NetFlow v5 exports, the sampling interval is exported within the datagram header itself. As shown in the "Version 5 Header Format" (see Appendix, Table B-3), the sampling_interval field contains the actual sampling interval used by that device for caching the NetFlow records. This field is the last two bytes within the NetFlow v5 datagram header. For NetFlow v9 exports, the sampling interval is simply a field within the v9 template. It is well structured and defined within a reserved template field. 

 

How do you enable ReporterAnalyzer to support sampled NetFlow? 

In order to support sampled NetFlow v5 exports, you must manually edit a registry setting on all Harvesters receiving sampled NetFlow. By default, support for sampled NetFlow is disabled for NetFlow v5 exports. Registry Key: netqos\nfharvester\TrustNetflowV5SamplingInterval Default Value: 0 Description: A value of 1 will cause the Harvester to trust the sampling_interval field in the NetFlow v5 datagram headers for all NetFlow v5 datagrams received by that Harvester. This implies that enabling this setting requires all routers/devices to properly report their correct sampling_interval. For sampled NetFlow v9 exports, there are no configuration changes or updates needed to correctly handle the sampling interval (rate) exported within the flow records. 

 

How does ReporterAnalyzer handle the sampling interval (rate)? 

Regardless of which version of NetFlow is collected, ReporterAnalyzer will attempt to auto-detect the sampling interval set by each router/device. As the flow records are received by the Harvester, the sampling_interval will be extracted and applied to the flow records by applying the sampling_interval value as a multiplier. Therefore ReporterAnalyzer is capable of handling multiple routers/devices exporting NetFlow with different sampling intervals. NOTE: There are instances where devices may incorrectly or not set the sampling_interval field. See "What if the Sampling Interval is wrong?" for more information. 

 

What if the Sampling Interval is wrong? 

In most instances, NetFlow v9 exports the sampling interval correctly within the template. However, there are occasions where some routers/devices exporting NetFlow v5 records set the sampling_interval field incorrectly or not at all (with a value of zero). If that happens, the incorrect value may be automatically applied and unexpected results may occur (such as zero bytes for certain router interfaces). As a workaround for these router/device NetFlow export issues, there is a registry setting that can be changed on the Harvesters to help overcome these limitations. Registry Key: netqos\nfharvester\SampleRateOverride Default Value: 1 Description: A value greater than 1 will cause the Harvester to apply this value as the multiplier used instead of the sampling_interval field reported in the NetFlow v5 datagram headers for all NetFlow v5 datagrams received by that Harvester. This setting applies to all routers/devices exporting sampled NetFlow v5 records and overrides the "TrustNetflowV5SamplingInterval" setting.

Additional Information:

For instructions on how to set a SampleRateOverride for 9.3.3 follow the steps in the doc below:

https://support.ca.com/us/knowledge-base-articles.TEC606788.html

 

For 9.3.6 follow the steps in the doc below:

https://support.ca.com/us/knowledge-base-articles.TEC1982724.html