Dear community
I am getting into NetFlow a little bit deeper but cannot get my head around sampling. All i understand so far: We can configure deterministic sampling, that uses a hardware sampler per interface, limiting the maximum number of monitoring to 4 Interfaces because 2960X switches do have 4 hardware samplers.
If we use random sampling, we can monitor 256 interfaces max (either 256 SVI or 48 Gi) but the 1 out-of 32 suggests, that only every 32nd packet is being inspected/recorded. Am i right? If so, the data recorded by NetFlow is very unreliable as only a small portion of traffic is being collected. Or does the 1 out-of 32 only come into play if the CPU of the switch is too high? How can i verify that all the packets flowing thru the switch are being inspected/recorded?
Strange thing is, if I check the sampler on my switch, it doesn't show any samples:
swDAI01# show sampler netflow
Sampler netflow:
ID: 1439539242
export ID: 2
Description: User defined
Type: random
Rate: 1 out of 32
Samples: 0
Requests: 0
Users (2):
flow monitor netflow (ip,Gi1/0/1,Input) 0 out of 0
flow monitor netflow (ip,Gi1/0/3,Input) 0 out of 0
Netflow works fine on this switch, the cache is full of entries and i receive data on my NetFlow collector every 60 second.
Very similar question has been asked here:
https://supportforums.cisco.com/t5/lan-switching-and-routing/2960x-netflow-lite-sampler-rate/m-p/2778440#M337479
Answer says to use NetFlow without sampling. How can i achieve that on a 2960X?
Cisco Documentation for NetFlow Lite on 2960X (Link here) says following:
Defines the random sample mode.
You can configure either a random or deterministic sampler to an interface. Select m packets out of an n packet window. The window size to select packets from ranges from 32 to 1022.
Note the following when configuring a sampler to an interface:
When you attach a monitor using deterministic sampler (for example, s1), every attachment with same sampler s1 uses one new free sampler from the switch (hardware) out of 4 available samplers. Therefore, beyond 4 attachments, you are not allowed to attach a monitor with any sampler.
In contrast, when you attach a monitor using random sampler (for example-again, s1), only the first attachment uses a new sampler from the switch (hardware). The rest of all attachments using the same sampler s1, share the same sampler.
Due to this behavior, when using a deterministic sampler, you can always make sure the correct number of flows are sampled by comparing the sampling rate and what the switch sends. If the same random sampler is used with multiple interfaces, flows from an interface can always be sampled, and the flows from other interfaces could be always skipped.
Thanks for anyone that can shed some light onto this topic.
