NFA All Supported versions

What is Sampled NetFlow? 

The Sampled NetFlow feature was developed to alleviate the performance penalty incurred by turning on NetFlow on Cisco 12000 series Internet routers. In order to scale to higher forwarding rates, NetFlow will now allow the user to sample one out of every "x" IP packets being forwarded. These sample packets will be accounted for in the NetFlow cache on the router. The user can configure the "x" interval. This feature will substantially decrease the CPU utilization needed to account for NetFlow packets by allowing a majority of the packets to be switched faster because they will not need to go through additional NetFlow processing. On an interface, Sampled NetFlow allows you to collect NetFlow statistics for a subset of incoming (ingress) IPv4 traffic on the interface, selecting only one out of "N" sequential packets, where "N" is a configurable parameter. These sampling packets will substantially decrease the CPU utilization needed to account for NetFlow packets by allowing the majority of the packets to be switched faster because they will not need to go through additional NetFlow processing. 

How does the sampling interval (rate) get exported within NetFlow? 

For NetFlow v5 exports, the sampling interval is exported within the datagram header itself. As shown in the "Version 5 Header Format" (see Appendix, Table B-3), the sampling_interval field contains the actual sampling interval used by that device for caching the NetFlow records. This field is the last two bytes within the NetFlow v5 datagram header. For NetFlow v9 exports, the sampling interval is simply a field within the v9 template. It is well structured and defined within a reserved template field. 

How does NFA handle the sampling interval (rate)? 

Regardless of which version of NetFlow is collected, ReporterAnalyzer will attempt to auto-detect the sampling interval set by each router/device. As the flow records are received by the Harvester, the sampling_interval will be extracted and applied to the flow records by applying the sampling_interval value as a multiplier. Therefore ReporterAnalyzer is capable of handling multiple routers/devices exporting NetFlow with different sampling intervals. NOTE: There are instances where devices may incorrectly or not set the sampling_interval field. See "What if the Sampling Interval is wrong?" for more information. 

What if the Sampling Interval is wrong? 

In most instances, NetFlow v9 exports the sampling interval correctly within the template. However, there are occasions where some routers/devices exporting NetFlow v5 records set the sampling_interval field incorrectly or not at all (with a value of zero). If that happens, the incorrect value may be automatically applied and unexpected results may occur (such as zero bytes for certain router interfaces). As a workaround for these router/device NetFlow export issues, you can manually override the sampling rate for an individual device if necessary.

See the following document:

How do I configure the sampling rate for a router device within NFA manually?

Netflow sampling must be set uniquely across all interfaces on a device. 1 interface cannot be 1 out of 100 while another is 1 out of 10000.

How do I configure the sampling rate for a router device within NFA manually?

Netflow sampling must be set uniquely across all interfaces on a device. 1 interface cannot be 1 out of 100 while another is 1 out of 10000.