Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
3
Replies

Netflow sampling ?

tedauction
Level 1
Level 1

‎08-14-2016 05:06 PM - edited ‎03-08-2019 06:59 AM

Hello, I am setting up Netflow v9 on a big group of switches and routers.

These devices are under heavy load. Should I be using sampling or is just not necessary unless the devices are handling heavy traffic ?

Or is it best practice to always do sampling of some form ?

My concern is that I am degrading the quality of flow information by using my current sampling rate of 32:1.

Thanks for any advice.

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎08-15-2016 12:24 AM

Hi

It all depends if that's good enough for you , sampling is only to reduce cpu on lower end devices that struggle with large flows , we collect everything on our ASRs,4331s etc even with large load and we don't get any cpu effect , it may also be the case that your collector can only handle a certain amount of incoming flows and reducing it to sampling rate may not overload it but if your devices and collector can handle it I wouldn't use sampler at all again though it can depend why your collecting flows in the first place , you may only need samples of whats going on in flows, for security and network investigations we collect everything

why not test a device with full load see what happens does cpu increase sending full flow , does the collector struggle and then make a decision if you need to take samples instead with flows

0 Helpful

milan.kulik
Level 10
Level 10
In response to Mark Malone

‎08-15-2016 12:43 AM

Hi,

another aspect might be the WAN load increase:

In theory the NetFlow traffic sent over a WAN line would increase the load by 1-3%.

But it might be higher (I remember over 10% in one case of DNS server misconfigured).

And it could be more if sending NetFlow statistics from your LAN over a WAN to your collector.

Or several hundreds/thousands sites sending NetFlow data to a single collector - that could increase the collector WAN line traffic considerably.

But generally, if your network and CPUs can handle it, full (not sampled) NetFlow should be a preferred solution.

Best regards,

Milan

0 Helpful

Michael Patterson
Level 1
Level 1

‎08-15-2016 04:10 AM

Have you considered using Flexible NetFlow to reduce the details that you export? For example, by not exporting source and destination port, you can reduce flow volumes by over 80% and still have 100% of the data needed for accounting. 

https://www.plixer.com/blog/sflow/how-to-avoid-ipfix-or-netflow-sampling-vs-sflow/ 

As Mark Malone pointed out, it depends on what you want to do with the collected flows.  For accounting, the above works well.  For threat detection, not so good. 

0 Helpful
Customers Also Viewed These Support Documents