Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
874
Views
0
Helpful
3
Replies

netflow and snmp data.

Leeyoungsoo
Level 1
Level 1

‎02-24-2009 11:12 PM - edited ‎03-06-2019 04:13 AM

Dear all.

our coustomer site runs a netflow application.

There application has seen netflow traffice and snmp traffic.

I know that snmp traffic big more than netflow data.

But our customer want similarly to see both data.

So I found that netflow sampling.

Does any one know about

netflow sampling method can do it?

point:

1.I want to know that

netflow traffic and snmp traffic are similirly to see.

2.Does netflow sampling can to resize netflow traffic?

Thank again

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-25-2009 12:30 AM

Hello Young,

netfow sampling had been introduced to allow to monitor netflow flows with a reduced performance penalty.

The reasoning is that long life flows should tracked even if only one packet of N is diverted to the neflow engine.

Normal N used is 10 to 1000.

Short life flows like a DNS request can be missed but the general picture should reasonably be enough accurate for traffic engineering purposes.

The target for Netflow sampling are the linecards of very high end routers like GSR (12000).

Later, a different sampling method for software based routers has been introduced called random sampling

see

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/ios_netflow_roadmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html

With netflow sampling netflow data and SNMP data become even more different.

To compare data you need to multiply to the sampling factor N and then you may need to convert traffic volumes expressed in bytes to average bit rates (as the ones expressed using SNMP MIB variables by MRTG or other monitoring tools).

For doing this you need to know the time window in which netflow data traffic has been aggregated.

The sum of all Netflow flows should be near to the SNMP data on the interface.

Some years ago when I did my first tests on Netflow I did test labs and I compared netflow data and SNMP MIBs with good results in those simple tests with standard Netflows they matched exactly.

This is something you could do for the customer to convince them on the accuracy of netflow data.

Hope to help

Giuseppe

0 Helpful

Leeyoungsoo
Level 1
Level 1
In response to Giuseppe Larosa

‎02-25-2009 01:13 AM

Dear

I really thank you to explain to me.

As you know my english very poor

so Can you explain to me once again

to detail?

Thanks you again.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Leeyoungsoo

‎02-25-2009 01:32 AM

Hello Young,

I try to keep it simple:

with sampling only one packet every 1000 is processed by netflow engine.

So the traffic volumes seen be netflow are reduced by the same factor (1000 for

example)

So to compare with SNMP data you need at least to multiply volumes by same factor

if netflow has seen 12000 bytes and the samping factor is 1000 we can say that real traffic volume was

12000*1000 = 12000000 bytes

When you compare netflow data and SNMP data you may need to perform some math operations (conversions).

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card