NetFlow - Flow Samplers

In the context of NetFlow, Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to reduce the load on the device that is running Flexible NetFlow by limiting the number of packets that are selected for analysis.

Without a flow sampler configuration, NetFlow will sample all of the packets of a flow.

Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow monitor’s cache.

Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor command. Samplers use random sampling techniques (modes); that is, a randomly selected sampling position is used each time a sample is taken.

Specifically, under the sampler configuration, the command is:

mode {deterministic | random} 1 out-of window-size

You choose one packet out of how many packets (which is essentially the window size) are sampled. You can also choose deterministic or random for the way that packet is chosen within the window.

  • So, if you choose deterministic and 1 packet out of every 10, then strictly, every tenth packet will be sampled.
  • If you choose random and 1 packet out of every 20, then for every 20 packets that arrive, one of those packets will be chosen randomly.

More information about the configuration and the behavior of a sampler can be found in the Cisco command reference link below.

Links:

https://forum.networklessons.com/t/introduction-to-cisco-netflow/1278/81?u=lagapidis

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-3se/3850/use-fnflow-redce-cpu.html#GUID-EF6CB759-04B7-441A-B716-A135FA904429