Re: [c-nsp] nfSen / nfDump
So as usual - my netflow routers are coming up with the correct size data in
nfsen, but sFlow is about 2.5 times as much traffic.
Does anyone have a cisco sflow config that works with nfsen - sampling rate etc?
sflow sampling-rate 4096 <-- this is 512?
sflow max-sampled-size 128
sflow counter-poll-interval 30
sflow max-datagram-size 1400
sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx
sflow collector-port 6343
sflow agent-ip xx.xx.xx.xx
no sflow extended switch
Then in nfsen - here:
Doesn't look like sflow daemon supports the -s sampling tag.
%sources = (
'myRouter' => { 'port' => '9901', 'col' => '#00ff00', 'type' => 'netflow',
'optarg' => ' -s -1000 '},
);
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron
Gould
Sent: Sunday, August 6, 2017 1:46 AM
To: 'Phil Mayers' ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump
netflow
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil
Mayers
Sent: Friday, August 4, 2017 3:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump
On 03/08/17 22:53, Aaron Gould wrote:
> I do 1/512 sample rate on my asr9k's and usually multiple numbers
> gathered in nfsen by 512 to normalize
sflow? Or netflow?
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
Wouldn't the syntax be "-s 1000", rather than "-s -1000"?
jms
On Mon, 28 Aug 2017, Nick Cutting wrote:
So as usual - my netflow routers are coming up with the correct size data in
nfsen, but sFlow is about 2.5 times as much traffic.
Does anyone have a cisco sflow config that works with nfsen - sampling rate etc?
sflow sampling-rate 4096 <-- this is 512?
sflow max-sampled-size 128
sflow counter-poll-interval 30
sflow max-datagram-size 1400
sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx
sflow collector-port 6343
sflow agent-ip xx.xx.xx.xx
no sflow extended switch
Then in nfsen - here:
Doesn't look like sflow daemon supports the -s sampling tag.
%sources = (
'myRouter' => { 'port' => '9901', 'col' => '#00ff00', 'type' => 'netflow',
'optarg' => ' -s -1000 '},
);
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron
Gould
Sent: Sunday, August 6, 2017 1:46 AM
To: 'Phil Mayers' ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump
netflow
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil
Mayers
Sent: Friday, August 4, 2017 3:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump
On 03/08/17 22:53, Aaron Gould wrote:
I do 1/512 sample rate on my asr9k's and usually multiple numbers
gathered in nfsen by 512 to normalize
sflow? Or netflow?
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
This was an example I took from the nfsen forums - it is a negative value.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin
M. Streiner
Sent: Monday, August 28, 2017 3:32 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump
Wouldn't the syntax be "-s 1000", rather than "-s -1000"?
jms
On Mon, 28 Aug 2017, Nick Cutting wrote:
> So as usual - my netflow routers are coming up with the correct size data in
> nfsen, but sFlow is about 2.5 times as much traffic.
>
> Does anyone have a cisco sflow config that works with nfsen - sampling rate
> etc?
>
> sflow sampling-rate 4096 <-- this is 512?
> sflow max-sampled-size 128
> sflow counter-poll-interval 30
> sflow max-datagram-size 1400
> sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx sflow
> collector-port 6343 sflow agent-ip xx.xx.xx.xx no sflow extended
> switch
>
> Then in nfsen - here:
>
> Doesn't look like sflow daemon supports the -s sampling tag.
>
> %sources = (
>'myRouter' => { 'port' => '9901', 'col' => '#00ff00', 'type' =>
> 'netflow', 'optarg' => ' -s -1000 '}, );
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of Aaron Gould
> Sent: Sunday, August 6, 2017 1:46 AM
> To: 'Phil Mayers' ; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] nfSen / nfDump
>
> netflow
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of Phil Mayers
> Sent: Friday, August 4, 2017 3:08 AM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] nfSen / nfDump
>
> On 03/08/17 22:53, Aaron Gould wrote:
>> I do 1/512 sample rate on my asr9k's and usually multiple numbers
>> gathered in nfsen by 512 to normalize
>
> sflow? Or netflow?
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
Nick Cutting wrote: > sflow sampling-rate 4096 <-- this is 512? that means that out of every 4096 packets received on an interface, one will be punted to the sflow collector. You can check the hardware sampling rate using the PortSampRate command in the broadcom shell, like this: > n3k# test hardware internal bcm-usd bcm-diag-shell > Available Unit Numbers: 0 > bcm-shell.0> PortSampRate > xe0: ingress: 1 out of 4096 packets, egress: 1 out of 4096 packets, > xe1: ingress: 1 out of 4096 packets, egress: 1 out of 4096 packets, [...] Sflow sampling is handled in hardware and is reasonably accurate on the broadcom chipset. If you're seeing ~2x the number of packets, bear in mind that nxos samples in both directions with no option for only ingress or only egress. There is no good reason for having this limitation, because it's trivial to modify in using the bcm-shell with the portsamprate command, and the lack of ability to specify the sampling direction makes the sflow functionality on this operating system pretty useless. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
Nick Cutting wrote:
> Doesn't look like sflow daemon supports the -s sampling tag.
>
> %sources = (
> 'myRouter' => { 'port' => '9901', 'col' => '#00ff00', 'type' =>
> 'netflow', 'optarg' => ' -s -1000 '},
> );
yes, that's correct. The sflow sampling rate is specified in each sflow
packet, so there is no need to specify it on the collector - it's
automatically detected on a per-packet basis.
This is a working config on a small site (albeit a different sflow agent
platform, but that won't make any difference):
> %sources = (
> 'rtr01' => { 'port' => '2055', 'col' => '#ff', 'type' => 'sflow'
> },
> 'rtr02' => { 'port' => '2056', 'col' => '#00ff00', 'type' => 'sflow'
> },
> );
nfsen will then start up sfcapd instead of nfcapd.
Nick
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
Thank you for your reply.
Yes, I have a very similar config to yours below.
Looks like I'll need to tell the noc to halve their findings.
I didn’t seem to be able to use that command on a Nexus 9200 - the guide for
the shell seems for the 9500 and the 3k?
Thank you
-Original Message-
From: Nick Hilliard [mailto:n...@foobar.org]
Sent: Monday, August 28, 2017 5:13 PM
To: Nick Cutting
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump
This message originated from outside your organization
Nick Cutting wrote:
> Doesn't look like sflow daemon supports the -s sampling tag.
>
> %sources = (
> 'myRouter' => { 'port' => '9901', 'col' => '#00ff00', 'type' =>
> 'netflow', 'optarg' => ' -s -1000 '}, );
yes, that's correct. The sflow sampling rate is specified in each sflow
packet, so there is no need to specify it on the collector - it's automatically
detected on a per-packet basis.
This is a working config on a small site (albeit a different sflow agent
platform, but that won't make any difference):
> %sources = (
> 'rtr01' => { 'port' => '2055', 'col' => '#ff', 'type' => 'sflow'
> },
> 'rtr02' => { 'port' => '2056', 'col' => '#00ff00', 'type' =>
> 'sflow' }, );
nfsen will then start up sfcapd instead of nfcapd.
Nick
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
Nick Cutting wrote: > I didn’t seem to be able to use that command on a Nexus 9200 - the > guide for the shell seems for the 9500 and the 3k? N9K access instructions here: > https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_0101.html#concept_F5C3B0413B80410FBBDCC79F81BF086F Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
