sFlow Configuration for Traffic Monitoring and Analysis

This page helps you with information about the key concepts, advantages and limitations of sFlow, and steps to configure sFlow on your router.

sFlow Essential Concepts and Terms

This section helps you get familiar with the sFlow key terms and concepts:

  • Data source: Location within a network device that can make traffic measurements. Examples are physical interfaces, VLANs.

  • Flow: A Flow is defined as a set of IP packets passing a network device in the network during a certain time interval. All packets that belong to a particular Flow have a set of common properties derived from the data contained in the packet.

  • Flow record: A Flow record is a set of key and non-key sFlow field values used to characterize flows. This record is created by inspecting packet headers and adding a description of packet information.

  • sFlow agent: Entity inside the network device responsible for maintaining sFlow configuration, gathering the sampled flow and counters from one or more data sources in the router, packaging them in sFlow datagram format, and exporting them to the sFlow collector.

  • sFlow collector: Application that receives the sFlow datagrams from one or more agents to perform further analysis and generate reports. The collector is external to the router.

  • Sampling rate: Frequency that specifies how often packet sampling is performed, and determines how many packets (on average) that pass through the data source to generate a flow sample. A value of 100 means that on average, 1 out of 100 packets is randomly sampled to be exported.

  • Sampling interval: Period at which counters will be polled for populating the counter sample in the sFlow datagram.

  • sFlow datagram: User Datagram Protocol (UDP) datagram exported from sFlow agent to collector. The datagram contains information about the data source, one or more flow samples, and one or more counter samples.

  • Collector address: IP and UDP port number. The default destination port number is 6343.

Flow Monitoring on Egress Interface

Table 1. Feature History Table

Feature Name

Release Introduced

Description

Flow monitoring on Egress Interface

 Release 26.1.1

Introduced in this release on: Centralized Systems (8400 [ASIC: K100])(select variants only*)

*This feature is supported on Cisco 8404-SYS-D routers.

Flow monitoring on Egress Interface

Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on:

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D

Flow monitoring on Egress Interface

 Release 24.1.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

You can now get precise insights into encapsulated and decapsulated data, prioritize critical outbound traffic, and ensure implementation of security measures. This is accomplished by activating egress flow monitoring on outbound interfaces within your network using sFlow.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Egress Interface Flow Monitoring enhances network visibility and control by prioritizing outbound traffic. This capability offers advanced monitoring and management of data exiting the network, providing a more comprehensive understanding of network dynamics. The key focus of this feature is to monitor packets that are either encapsulated or decapsulated through egress sFlow.

Encapsulated and decapsulated data monitoring in sFlow serves a crucial role in safeguarding sensitive information transmitted across the network. The process involves encapsulating data with an additional layer of information, enabling verification of its authenticity and integrity. This added layer makes it challenging for attackers to intercept or modify data during transmission. Conversely, decapsulation entails removing the encapsulated data layer, empowering network devices to analyze the information and take appropriate actions in real-time. This proactive approach aids in identifying and preventing attacks or anomalies, enhancing the overall security of the network.

How sFlow works

sFlow, a monitoring technology, operates by sampling data network traffic in real-time. However, it's important to note that sFlow doesn't encompass all network traffic, unlike Netflow.

In the context of traffic monitoring, sFlow functions by disaggregating the flow pipeline. Devices within the network stream packet headers and metadata, which are subsequently transmitted as UDP datagrams to an external collector. This collector deciphers the packets and creates flow records. A notable feature of sFlow is its capability to export this data promptly, facilitating the creation of a near real-time representation of network traffic by the collector.

The advantage of this real-time traffic analysis is its ability monitor patterns and trends within the network, facilitate the automation of traffic engineering, and aid in making well-informed decisions when planning network capacity.

Recording of Packet Flows in sFlow

The packet in sFlow is recorded as follows:

Figure 1. Packet Flows in sFlow
Recording flow of packets using sFlow technology Sampling Datagram Generation Data Export Analysis and Reporting

In sFlow, the focus is on collecting sampled network traffic data rather than recording full packet flows. sFlow is designed to provide a statistical overview of network traffic by sampling packets and extracting relevant information for analysis.

Here's how sFlow handles the recording of packet flows:

  1. Sampling: sFlow agent process in network devices sample packets based on a configured sampling rate. The sampling rate determines the percentage of packets that will be selected for analysis. For example, a sampling rate of 1-in-100 means that 1% of the packets will be sampled.

  2. Datagram Generation: The sFlow agent generates datagrams that contain information about the sampled packets. These datagrams include details such as packet header, sampling rate, port numbers, protocol information, and various flow statistics.

  3. Data Export: The sFlow datagrams are periodically exported from the sFlow agent to a designated sFlow collector or analyzer. The export can be done using protocols like UDP or TCP, and the datagrams are typically sent in a structured format like XDR.

  4. Analysis and Reporting: Upon receiving the sFlow data, the sFlow collector or analyzer processes and analyzes the information. It aggregates the sampled data to provide statistical insights into network traffic, including top talkers, protocol distribution, traffic patterns, and other metrics.

sFlow Export with ECMP Load Balancing

Table 2. Feature History Table

Feature Name

Release Information

Feature Description

sFlow Export with ECMP Load Balancing

 Release 26.1.1

Introduced in this release on: Centralized Systems (8400 [ASIC: K100])(select variants only*)

*This feature is supported on Cisco 8404-SYS-D routers.

sFlow Export with ECMP Load Balancing

 Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on:

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-A/D

sFlow Export with ECMP Load Balancing

 Release 25.1.1

Introduced in this release on: Fixed Systems (8700 [ASIC: P100]), 8010 [ASIC: A100])(select variants only*)

This feature is now supported on:

  • 8712-MOD-M

  • 8011-4G24Y4H-I

sFlow Export with ECMP Load Balancing

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

You can now achieve sFlow packet load balancing across all ECMP paths to the collector. This feature utilizes pre-routing to gather nexthop interface and IP details for each packet, ensuring uniform distribution. By actively utilizing all paths, it provides more effective load balancing and improved network performance while maintaining path tracking.

The feature introduces these changes:

CLI:

  • The flow exporter-map command is modified to include the pre-route and all-ecmp-paths keywords.

*This feature is supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

The sFlow ECMP Load Balancing feature enhances network routing by allowing routers to distribute sFlow packets across all available Equal-Cost Multi-Path (ECMP) routes to the sFlow collector.

The existing solution uses source-port entropy in the sFlow export UDP packets, introduced in IOS-XR software release 7.5.4, but it lacked the ability to track specific paths due to limited visibility of the outgoing interface. This new feature addresses these limitations by providing a pre-routing option, which gathers detailed nexthop information, including the output interface and nexthop IP address, for each packet. By actively utilizing all ECMP paths, the feature ensures efficient and uniform packet distribution, thereby improving routing performance, reliability, and network efficiency.

Benefits of ECMP Load Balancing

ECMP Load Balancing offers several key benefits:

  • Uniform Distribution: Ensures even distribution of sFlow packets across all available paths, optimizing load balancing.

  • Enhanced Visibility: Provides visibility into the nexthop details, overcoming the limitations of previous methods that lacked path tracking.

  • Improved Performance: Actively uses all ECMP paths, enhancing network efficiency without compromising path tracking.

Mirror and stream drop packets using SPAN and sFlow

Table 3. Feature History Table

Feature Name

Release Information

Feature Description

Mirror and stream drop traps using SPAN and sFlow

 Release 25.2.1

Introduced in this release on: Modular Systems (8800 [LC ASIC: P100])

The forwarding dropped trap feature enables system-generated notifications to be mirrored and forwarded to an sFlow collector when packets are dropped during the forwarding process. By leveraging SPAN and sFlow, this feature provides valuable insights into potential network issues and enhances network traffic monitoring and analysis by leveraging SPAN and sFlow.

Mirror and stream drop packets using SPAN and sFlow

Release 25.1.1

Introduced in this release on: Modular Systems (8800 [LC ASIC: P100])

sFlow now supports buffer drop and forward-drop streaming, enhancing its capability to capture packets dropped by the Traffic Management (TM) buffer when full. This feature allows streaming of mirrored copies of these packets using SPAN, ensuring effective traffic monitoring even during process restarts or network failovers. Additionally, it mirrors forward-drop packets to capture and analyze packets dropped at router ingress, aiding in understanding blocked traffic types, identifying potential security threats, and optimizing network performance.

The feature introduces these changes:

CLI:

Mirror and stream drop packets using SPAN and sFlow

Starting from IOS-XR software release 25.1.1, the Mirror and Stream Dropped Packets using SPAN and sFlow feature enables the export of dropped packets using sFlow encapsulation. These packets are forwarded to an sFlow collector for in-depth analysis, alongside regular sFlow sampled packets. Differentiation is achieved using distinct UDP ports.

Key capabilities introduced by this feature include:

  • Extends existing SPAN-based mirroring to support dropped packet streaming via sFlow.

  • Uses distinct UDP ports to differentiate dropped and regular sFlow traffic.

  • Extends SPAN functionality to support dropped packet streaming.

  • Supports coexistence with regular sFlow traffic using separate exporter maps.

For more details about traffic mirroring feature, refer to the Configure Traffic Mirroring chapter in the Interface and Hardware Component Configuration Guide for Cisco 8000 Series Routers.

Mirror and stream drop traps using SPAN and sFlow

Starting from IOS-XR software release 25.2.1, the Mirror and Stream Drop Traps using SPAN and sFlow feature enables the export of forward-drop traps using sFlow encapsulation. A trap refers to a system-detected event where a packet is dropped due to specific conditions such as ACL denies, TTL expiry, or protocol violations. These dropped packets are encapsulated and streamed to an sFlow collector for real-time diagnostics and analysis.

  • Provides real-time visibility into dropped traps.

  • Uses sFlow encapsulation to export drop traps to collectors.

Types of drop packets

  • Buffer drop packets: Buffer drop packets occur when the Traffic Management (TM) buffer reaches capacity and begins to drop incoming packets. This typically happens due to network congestion when the incoming traffic rate exceeds the buffer's processing capacity. The following scenarios lead to buffer drops:

    • TM_EXACT_METER_DROP: Occurs when the router drops packets because the incoming traffic rate exceeds the configured policer rate on the ingress interface.

    • TM_STATISTICAL_METER_DROP: Occurs when traffic is sent at a 100% line rate on an ingress interface, leading to packet drops.

  • Forward drop packets: Forward drop packets are dropped during the forwarding process at the router ingress. This can occur due to several reasons, including:

    • L3_IP_MC_PUNT_RPF_FAIL: Occurs when an IP multicast RPF check fails.

    • L3_ACL_FORCE_PUNT: Occurs when layer 3 egress security measures or UDF ACLs are configured to punt packets to the host.

    • L3_GLEAN_ADJ: Packet drops during glean adjacency occurs when a router needs to forward packets but must first perform Address Resolution Protocol (ARP) resolution to obtain the next-hop MAC address

    • L3_DROP_ADJ: Occurs when packets are dropped due to an inject up layer 3 lookup failure.

    • L3_TTL_OR_HOP_LIMIT_IS_ONE: Pertains to packets that have a Time-To-Live (TTL) or hop count of 1. These packets are typically dropped to prevent them from circulating indefinitely within the network, adhering to the principles of loop prevention.

    • OAMP_BFD_MISMATCH_DISCR: Occurs when there is a mismatch in the Bidirectional Forwarding Detection (BFD) session discriminator.

Starting from IOS-XR software release 25.2.1, the number of supported trap events has increased. Use the command show controllers npu stats traps-all instance all local to view them. The traps punted by the NPU are marked as (D*) and are supported.

Prerequisite for drop packet streaming

The following prerequisites must be met to utilize the stream dropped packets using sFlow.

  • Transition to sFlow: Devices using NetFlow or IPFIX must transition to sFlow for regular sampling before utilizing the dropped packet feature, ensuring compatibility and consistency in data analysis.

  • Collector configuration: A unified sFlow collector must be configured to handle both regular and dropped packet flows, utilizing different UDP ports to distinguish between the two streams.

Benefits of drop packet streaming

  • Captures and forwards dropped packets to an sFlow collector, providing detailed insights.

  • Comprehensive Analysis: Allows for simultaneous analysis of regular and dropped packet flows, offering a holistic view.

  • Troubleshooting: Empowers network administrators to effectively identify and resolve issues, reducing downtime and enhancing performance.

Guidelines for Mirroring and Streaming Drop Packets

Configuration Best Practices

Use SPAN and sFlow to mirror dropped packets and traps for real time visibility and diagnostics to ensure that packet loss events are both observable and actionable

  • Use a dedicated exporter map for drop traffic.

  • Configure only one drop sFlow session per system to maintain export integrity.

  • Use distinct UDP ports to differentiate drop traffic from regular sFlow exports.

  • Do not modify DSCP marking for drop exports; it is fixed at 0.

  • Ensure the export rate does not exceed 540 packets per second to avoid performance degradation.

System and Hardware Limitations

  • System Support: Certain features like INJECT_UP_L3_LOOKUP_FAIL packet export are only supported on fixed systems, not modular ones.

  • ASIC Support: TM_EXACT_METER_DROP is supported only on Q200 ASIC-based systems, excluding P100 ASIC-based systems.

  • Session Limitations:

    • Only one global forward-drop session and one TM buffer drop session are supported for file (SPAN-to-file sessions), GRE (ERSPAN) tunnel interface, and sFlow destinations.

    • GRE tunnel interfaces and sFlow destinations cannot be configured together; they are mutually exclusive.

    • You cannot configure reachability for GRE and sFlow destinations through management interfaces.

  • ERSPAN Limitations: Default encapsulation traffic class value is 0 for buffer and forward-drop packets, and ERSPAN counters are not updated for these packets.

  • sFlow export: Drops resulting from inject packets (packets originating from the router) are not exported via the sFlow export facility.

These guidelines help maintain consistent monitoring, reduce configuration errors, and ensure dropped packets are captured and analyzed effectively.

Set DSCP value to mirror forward or drop packets through sFlow

Table 4. Feature History Table
Feature Name Release Information Feature Description
DSCP support for mirroring of forward and drop packets through sFlow Release 25.4.1

Introduced in this release on: Modular Systems (8800 [LC ASIC: P100])

You can now configure the DSCP value as part of the flow exporter configuration. The DSCP value is set using the dscp command in the flow exporter-map configuration. This allows marking of packets during export, including forwarded or dropped packets through sFlow. This feature helps in traffic management and monitoring capabilities.

Procedure

Set DSCP value in the flow exporter map configuration.

Example:


flow exporter-map fem
 version sflow v5
 !
 dscp 38
 source HundredGigE0/0/0/18
 destination 101.35.0.2
!

sFlow parameters and default values

Table 5. Feature History Table

Feature Name

Release Information

Feature Description

Increased sFlow sample-header size

 Release 26.1.1

Introduced in this release on: Centralized Systems (8400 [ASIC: K100])(select variants only*)

*This feature is supported on Cisco 8404-SYS-D routers.

Increased sFlow sample-header size

 Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on:

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-A/D

Increased sFlow sample-header size

 Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on Cisco 8011-4G24Y4H-I routers.
Increased sFlow sample-header size Release 24.4.1

Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*).

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH
Increased sFlow sample-header size Release 7.3.4

You can now increase the sFlow sampling size to 343 bytes of the incoming or outgoing packet header. This enhancement lets the router export a larger sample to the flow-analyzer tool, enabling the tool to provide more accurate network analytics.

In earlier releases, you could configure up to 200 bytes.

The following table lists the sFlow parameters and default values that you can use when configuring sFlow on the router:

Table 6. sFlow Parameters and Default Values

Parameter

Value

Command

Sampling rate

Default value: 1 out of 10000 packets

sampler-map

Sample header size

128 - 343 bytes (from Cisco IOS XR Release 7.3.4 onwards)

128 - 200 bytes (prior to Cisco IOS XR Release 7.3.4)

Default value: 128 bytes

flow monitor-map

Counter poll interval

5-1800 seconds

Default value: None

flow monitor-map

Collector port

Configurable. Default value: 6343

flow exporter-map

sFlow Sampling

The following methods are used in sFlow for capturing and analyzing network traffic:

  • Counter Sampling: In the counter sampling method, only specific counters or statistics are sampled and collected for analysis. Instead of capturing and analyzing packets or flows, counter sampling focuses on monitoring and collecting information about specific network metrics or performance indicators. These metrics can include interface utilization, packet drops, CPU usage, memory usage, and other relevant statistics. Counter sampling provides a high-level view of network health and performance without the need to capture and analyze every single packet.

  • Flow Sampling: Flow sampling, on the other hand, involves capturing and analyzing sampled network flows. A flow can be defined as a sequence of packets that share common attributes, such as source and destination IP addresses, port numbers, and protocol information. Flow sampling selects a subset of these flows for analysis. By capturing and analyzing flows, you can gain insights into traffic patterns, detect anomalies, and monitor performance. Flow sampling allows for more granular analysis of network traffic compared to counter sampling.

You can choose the method depending on the specific monitoring needs and objectives of the network.

Configure sFlow

This page explains how to configure sFlow for monitor network traffic using sampled data.

sFlow Guidelines and Limitations

General

  • When egress sFlow is enabled, the Layer 2 information of ingress packets is captured instead of the egress interface. This behavior is not supported on the 88-LC1-12TH24FH-E and 88-LC1-52Y8H-EM line cards.

  • sFlow samples are combined into UDP packets and forwarded to sFlow collectors for analysis. It's important to note that UDP, being a connectionless protocol, doesn't ensure the delivery of data. Consequently, utilizing sFlow as a flow source could potentially lead to inaccurate representations of traffic volumes, bidirectional flows, and a reduction in alerting capabilities.

  • Only one sampler configuration per router is allowed.

  • A sampling interval of 1 out of 262,144 packets as the maximum is supported.

  • Only one active sampler per router is supported. Multiple sampler maps that are not used in flow configuration are allowed.

Flow Exporter

  • When sFlow is on a bundle with members located on different Line Cards (LCs), flows are exported with the same ifindex id for the bundle interface. However, they possess distinct sub-agent ids and sequence numbers.

  • A maximum of 8 export destinations per monitor map for both IPv4 and IPv6 are allowed.

Flow Monitor

  • Ingress sFlow is supported on Cisco 8200 and Cisco 8800 Series Routers.

  • Egress sFlow is supported only on Cisco 8200 Series Routers.

Interfaces

  • L3 interfaces, L3 bundle interfaces, L3 sub-interfaces, L3 bundle sub-interfaces, and L3 BVI interfaces are supported.

  • Up to 2000 L3 interfaces are supported.

  • Tunnel and Ethernet PseudoWire (PW) interfaces are not supported.

  • ARP, multicast, broadcast, and IP-in-IP packets are excluded from the sampling process.

Loadbalance sFlow Traffic

  • Cisco 8000 modular routers do not load balance sFlow traffic across multiple ECMP paths. When more than one path is available, the router selects only one. Typically, sending sFlow traffic over a single path is sufficient, and load balancing isn't necessary.

    To enable load balancing across all ECMP paths, configure the router to use multiple UDP source ports for sFlow export packets. This method, known as "source-port entropy," uses a hashing-based algorithm to select paths, resulting in multiple ECMP paths being used. This approach does not provide statistics on the number of sFlow packets per path, as the sFlow process does not know the outgoing interface used. To configure multiple source ports, use the transport udp source-port multiple command.

Configuring sFlow

To enable this monitoring, it is necessary to configure the sFlow agent to use a sampling mechanism, forwarding traffic data from both ingress and egress ports to a centralized data collector, also referred to as the sFlow analyzer. The sampled data is forwarded using the version 5 export format. You'll find instructions for configuring sFlow on the router in the following section. Let's use the following topology as a reference for configuring sFlow.

Figure 2. sFlow Configuration
Configuring sFlow for traffic monitoring

Procedure

Step 1

First, let's gather the required details to enable sFlow on a router:

  • The IP address of the source : 2001:db8::0001

  • The IP address of the sFlow Collector (Destination address): 2001:db8::0002

  • Interface of the router where we will enable sFlow: HundredGigE 0/0/0/24

  • sFlow version used to transport the data to the collector: version 5

Step 2

Configure the Flow Exporter using the flow flow exporter-map command to specify where and how the packets should be exported.

The following attributes can be configured while creating exporter map:

  • Export destination IP address (IPv4 or IPv6 address). The same packets can be exported to multiple IPv4 or IPv6 destinations.

  • DSCP value

  • Source interface and its IP address

  • Transport protocol

  • UDP port number, where the collector listens to the packets

  • Maximum datagram length

  • Don't Fragment bit (DF-bit). The DF-bit within the IP header is supported only on IPv4 transport and determines whether the router is allowed to fragment a packet.

In this example, you create an exporter map called EXP-MAP to export the IPv4 packets to the destination address 192.127.10.1 using the UDP transport protocol:
Router(config)#flow exporter-map EXP-MAP
Router(config-fem)#version sflow v5
Router(config-fem)#packet-length 9000
Router(config-fem)#transport udp 6343
Router(config-fem)#source HundredGigE 0/0/0/1
Router(config-fem)#source-address 192.127.10.1
Router(config-fem)#destination 192.127.0.1
Router(config-fem)#dfbit set
  • ECMP Load Balancing:

    In this example, you configure ECMP load balancing option for sFlow.

    Router(config)#flow exporter-map EXP-MAP
Router(config-fem)# pre-route all-ecmp-paths
Router(config-fem-pre-route)# all-ecmp-paths
  • Stream Dropped Packets:

    In this example, you configure forward-drop using SPAN on sFlow.

    Router(config)#monitor-session mon1 ethernet 
Router(config)#destination sflow exporter-map-name fem 
Router(config)#drops
!
Router(config)#flow exporter-map fem 
Router(config)#version sflow v5
!

Verify the Flow Exporter configuration using the show flow exporter-map command. 

Router#show flow exporter-map EXP-MAP
Flow Exporter Map : EXP-MAP
-------------------------------------------------
Id                  : 1
Packet-Length       : 9000
DestinationIpAddr   : 192.127.0.1
VRFName             : default
SourceIfName        : HundredGigE 0/0/0/3
SourceIpAddr        : 192.127.10.1
DSCP                : 0
TransportProtocol   : UDP
TransportDestPort   : 6343

Export Version      : sFlow v5

The Export Version: sFlow v5 indicates that the exporter map configuration is successful.

  • Verifying ECMP Load Balancing:
    Router#show flow exporter-map EXP-MAP pre-route path-index all location 0/0/CPU0
---------------------------------------------------
Wed Dec  4 21:59:15.659 UTC

Exporter: EXP-MAP

  Pre-route enabled: True

    Enabled as default: False

    Enabled in configuration: True

    Platform capability: True

    All ecmp paths: True

    Statistics:

      Packets handled: 92

      Packets not handled: 1

    Current Path list information:

      Reset time: 2024:12:04 21:53:07 UTC

      Path count:1

      Path index:0

        Path context:

          Nexthop Information:

            Output Interface Handle: 0x138

            Output Interface Name: FourHundredGigE0/0/0/1

            Nexthop-address: 30.0.0.2

          Statistics:

            Packets sent: 92

            Last Packet Sequence number: 92
  • Verifying Dropped Packet Streaming:
    Router(config)#show monitor-session status    
Mon Dec 16 03:29:58.569 UTC
Monitor-session mon1
Destination sFlow - fem
================================================================================
SW Mirrored Packet type  Dir
------------------------ ------
All drops                Rx, Tx


Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------

Monitor-session default_monitor_session
Destination File - Packet collecting (always-on)
  Periodic write interval: 86400 seconds
  Maximum periodic capture capacity: 1GB
================================================================================
SW Mirrored Packet type  Dir
------------------------ ------
Packet-processing drops  Rx    
Traffic-management drops Rx    


Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------

Step 3

Configure the Flow Sampler using sampler-map sampler-map command to define the sampling rate for flow samples, which determines how many packets (on average) that pass through the data source will generate a flow sample.

In this example, you create a sampler map called SAMP-MAP to sample 1 out of every 4096 packets.
Router(config)#sampler-map SAMP-MAP​
Router(config-sm)#random 1 out-of 4096​

Verify the sampler map configuration using the show sampler-map command. 

Router#show sampler-map SAMP-MAP
Sampler Map : SAMP-MAP
-------------------------------------------------
Id:         1
Mode:       Random (1 out of 4096 Pkts)

In this example, the sampler map configuration is successful with a sample rate of 1 out of every 4096 packets.

  • Starting for IOS-XR software release 26.2.1, you can configure high sampling intervals up to one out of 8,000,000 packets.

    In this example, you create a sampler map called SAMPLER3 to sample 1 out of every 524286 packets. 

    Router(config)#sampler-map SAMPLER3​
Router(config-sm)#random 1 out-of 524286

    Verify the sampler map configuration using the show sampler-map command. 

    Router#show sampler-map SAMPLER3
Sampler Map : SAMPLER3
-------------------------------------------------
Id:      4
Mode:    Random (1 out of 524286 Pkts)
Hardware Sampling Interval: 262143 with Software multiplier: 2

    In this example, the sampler map configuration is successful with a sample rate of 1 out of every 524286 packets.

    Note

     

    • Optimal performance is achieved using multiples of 262,143.

    • If you configure an interval which is not a multiple of 262,143, a syslog notice may recommend a more optimal value.

      Example Syslog message: 
      Sampling interval 500000 is not a multiple of recommended base value 262143. Consider configuring a multiple of 262143 for optimal performance.

Step 4

Configure the Flow Monitor using flow monitor-map command to define the type of traffic to be monitored and the polling frequency. You can include one or more exporter maps in the monitor map.

In this example, you create a monitor map called MON-MAP and include the exporter map EXP-MAP to record sFlow data at a polling interval of 120 seconds:
Router(config)#flow monitor-map MON-MAP
Router(config-fmm)#record sflow
Router(config-fmm)#sflow options
Router(config-fmm-sflow)#extended-router
Router(config-fmm-sflow)#extended-gateway
Router(config-fmm-sflow)#if-counters polling-interval 120
Router(config-fmm-sflow)#input ifindex physical
Router(config-fmm-sflow)#output ifindex physical
Router(config-fmm-sflow)#sample-header size 200
Router(config-fmm-sflow)#exporter EXP-MAP

You can export input and ouput interface handles if the ingress or egress interface is a bundle or a Bridge-Group Virtual Interface (BVI).

Verify the monitor map configuration using the show flow monitor-map command. 

Router#show flow monitor-map MON-MAP

Flow Monitor Map : MON-MAP
-------------------------------------------------
Id:                2
RecordMapName:     sflow
ExportMapName:     EXP-MAP
ExtendedRouter:    Enabled
ExtendedGateway:   Enabled
InterfaceCounters: Enabled 
PollingInterval:   30 seconds
SampledHeaderSize: 200

Input ifhandle physical
Output ifhandle physical

In this example, the monitor map is configured successfully with the associated exporter map to monitor the interface counters at a polling interval of 30 seconds.

Step 5

Apply sFlow on an interface using flow datalinkframesection command in Global Configuration mode.

In this example, you apply the monitor map MON-MAP and the sampler map SAMP-MAP on the HundredGigE 0/0/0/3 interface in the ingress direction to monitor the incoming packets:
Router(config)#interface HundredGigE 0/0/0/3
Router(config)#ipv4 address 192.127.0.56 255.255.255.0
Router(config)#ipv6 address FFF2:8:DE::56/64
Router(config)#flow datalinkframesection monitor-map MON-MAP sampler SAMP-MAP ingress

Step 6

Enable sFlow on the RP (0/RP0/CPU0) or on the line card using hw-module profile netflow sflow-enable command. 

Router(config)#hw-module profile netflow sflow-enable location 0/0/CPU0

Step 7

Reload the line card using hw-module reset auto command. 

Router#reload location 0/0/CPU0

With this configuration, sFlow is enabled on the line card.

Step 8

Verify the statistics of exported traffic flow at the producer and exporter using show flow platform producer statistics location and show flow exporter commands.

Producer: 
Router#show flow platform producer statistics location 0/0/CPU0
Netflow Platform Producer Counters:
IPv4 Ingress Packets:                        0
IPv4 Egress Packets:                         0
IPv6 Ingress Packets:                        0
IPv6 Egress Packets:                         0
MPLS Ingress Packets:                        0
MPLS Egress Packets:                         0
IPFIX315 Ingress Packets:                    0
IPFIX315 Egress Packets:                     0
sFlow Ingress Samples:                  100000
Drops (no space):                            0
Drops (other):                               0
Unknown Ingress Packets:                     0
Unknown Egress Packets:                      0
Worker waiting:                              0

Exporter:

Router#show flow exporter EXP-MAP location 0/0/CPU0 
Wed June 21 04:21:36.263 UTC
Flow Exporter: EXP-MAP 
Export Protocol: sFlow v5 
Flow Exporter memory usage: 5247776
Used by flow monitors: MON-MAP

Status: Normal
Transport:   UDP
Destination: 192.127.0.1     (6343) VRF default
Source:      192.127.10.1    (6331)
Flows exported:                               50245 (9631004 bytes)
Flows dropped:                                    0 (0 bytes)

Packets exported:                              7372 (19262008 bytes)
Packets dropped:                                  0 (0 bytes)

Total export over last interval of:
  1 hour:                                      7363 pkts
                                            9629960 bytes
                                              50236 flows
  1 minute:                                      12 pkts
                                               1392 bytes
                                                 12 flows
  1 second:                                       0 pkts
                                                  0 bytes
                                                  0 flows

The sFlow configuration with flow and packet data is successful on the router.

What to do next

Analyze the traffic using the UDP datagram and sampled data collected at the sFlow collector.

This image shows an example of sampled data that has been collected at the sFlow collector.

sFlow support for PBR IP-in-IP tunnel traffic

A sFlow support for PBR IP-in-IP tunnel traffic is a network monitoring feature that

  • enables sampling and export of both inner and outer headers for packets traversing policy-based routed IP-in-IP tunnels

  • supports accurate analysis of tunneled flows by handling header manipulation during encapsulation and decapsulation

  • facilitates advanced use cases like differentiated statistics, hashing, and extended metadata export for operational analytics, and

  • accurately reports egress metadata such as outgoing physical interface and next hop address information.

Table 7. Feature History Table

Feature Name

Release Information

Feature Description

sFlow support for PBR IP-in-IP tunnel traffic

Release 26.2.1

Introduced in this release on: Fixed Systems (8200 [ASIC: Q200]; Centralized Systems (8600 [ASIC:Q200])

You gain enhanced visibility into IP-in-IP tunneled traffic, even when headers are added or removed by policy-based routing. This feature enables sFlow to export both inner and outer header details, ensuring accurate monitoring and analytics for encapsulated and decapsulated flows. Additionally, it reports essential egress metadata, such as the outgoing physical interface and next-hop address information.

Traffic visibility and header analysis with sFlow PBR IP-in-IP tunnel support

The sFlow PBR tunnel extension increases visibility by enabling accurate statistics collection for tunnel traffic, which supports comprehensive monitoring and analytics in advanced networking scenarios.

Key aspects of this feature include:

  • Accurate sampling and export of both inner and outer packet headers.

  • Support for IPv4 and IPv6 IP-in-IP tunnel scenarios.

  • Ability to pass platform-specific context to maintain forwarding logic and hashing consistency.

Core parameters and header fields relevant to tunnel sFlow include:

  • Byte offset to the inner header, enabling deep packet parsing.

  • VRF context used in the last PBR lookup.

  • Extended punt header structure: Contains additional metadata fields for accurate context preservation.


Note

The egress interface is not resolved for popgate FRR1.

Configure sFlow for Policy-Based Routing (PBR) IP-in-IP Tunnel Traffic

Ensure full visibility and facilitate advanced analytics for encapsulated Policy-Based Routing (PBR) traffic, such as IP-in-IP tunnels, by configuring sFlow to sample and export relevant data.

In multi-tenant, high-traffic networks, encapsulated traffic such as PBR-based IP-in-IP tunnels can obscure network visibility. Proper sFlow configuration enables scalable traffic sampling, supports troubleshooting, and provides critical insights for monitoring and analytics.

Procedure

Step 1

Identify required parameters:

  • Source IP address to export sFlow samples (e.g., 2001:db8::203:0:113:255)

  • Destination IP address of the sFlow collector (e.g., 2001:db8::192:0:2:12)

  • Router interface for sFlow enablement (e.g., Bundle-Ether1)

  • sFlow version (e.g., version 5)

Step 2

Configure the Flow Exporter:


Router(config)#flow exporter-map OC-FEM-GLOBAL
Router(config-fem)#version sflow v5
Router(config-fem)#transport udp 6343
Router(config-fem)#source-address 2001:db8::203:0:113:255
Router(config-fem)#destination 2001:db8::192:0:2:12
Router(config-fem)#exit

Step 3

Configure the Flow Sampler:


Router(config)#sampler-map OC-FSM-GLOBAL-INGRESS
Router(config-sm)#random 1 out-of 1262143
Router(config-sm)#exit

Step 4

Configure the Flow Monitor:


Router(config)#flow monitor-map OC-FMM-GLOBAL
Router(config-fmm)#record sflow
Router(config-fmm)#sflow options
Router(config-fmm-sflow)#input ifindex physical
Router(config-fmm-sflow)#output ifindex physical
Router(config-fmm-sflow)#sample-header size 343
Router(config-fmm-sflow)#extended-router
Router(config-fmm-sflow)#extended-gateway
Router(config-fmm-sflow)#extended-ipv4-tunnel-egress
Router(config-fmm-sflow)#extended-ipv6-tunnel-egress
Router(config-fmm-sflow)#exporter OC-FEM-GLOBAL
Router(config-fmm-sflow)#exit

Step 5

Configure the PBR policy and apply sFlow on the interface:


! Define traffic class and PBR policy
Router(config)#class-map type traffic match-all 1_redirect-to-vrf_t
Router(config-cmap-traffic)#match source-address ipv4 198.51.100.111 255.255.255.255
Router(config-cmap-traffic)#exit
Router(config)#policy-map type pbr redirect-to-vrf_t
Router(config-pmap)#class type traffic 1_redirect-to-vrf_t
Router(config-pmap-c)#redirect ipv4 nexthop vrf TE_VRF_111
Router(config-pmap-c)#exit
Router(config-pmap)#class type traffic class-default
Router(config-pmap-c)#exit
Router(config-pmap)#exit

! Apply the policy and sFlow on Bundle-Ether1
Router(config)#interface Bundle-Ether1
Router(config-if)#service-policy type pbr input redirect-to-vrf_t
Router(config-if)#ipv4 address 192.0.2.1 255.255.255.252
Router(config-if)#ipv6 address 2001:db8::192:0:2:1/126
Router(config-if)#lacp mode active
Router(config-if)#mac-address 0201.0000.0001
Router(config-if)#flow datalinkframesection monitor OC-FMM-GLOBAL sampler OC-FSM-GLOBAL-INGRESS ingress
Router(config-if)#commit

Step 6

Enable sFlow and relevant profiles on the hardware module:

Replace <LC slot> with the actual line card slot (e.g., 0/0/CPU0). 


Router(config)#hw-module profile netflow sflow-enable location <LC slot>
Router(config)#hw-module profile pbr vrf-redirect
Router(config)#hw-module profile cef iptunnel scale
Router(config)#hw-module profile cef hash ip-field-duplication
Router(config)#cef platform load-balancing algorithm adjust auto-global
Router(config)#cef platform load-balancing extended-entropy auto-global
Router(config)#commit

Step 7

Reload the line card to activate hardware profiles:


Router#hw-module location all reload

Step 8

Verify sFlow operation with show commands:

Verify hardware-level flow statistics: Use the show flow platform producer statistics location <node-id> command to monitor the flow generation rates and drop counters on a specific line card. 

Router#show flow platform producer statistics location

Ensure that sample count and export counters increase with traffic, error/drop counters remain low, and sampling is active on the relevant interface in the ingress direction.

Increased sampling interval support for NetFlow and sFlow

A sampling interval support enhancement for NetFlow and sFlow is a feature that

  • facilitates configuration of high sampling intervals up to one out of 8,000,000 packets on Cisco IOS XR 8000 Series platforms,

  • combines hardware and software mechanisms transparently to achieve large sampling rates above platform hardware maximums, and

  • ensures consistency in reported sampling intervals to flow collectors and analytics systems.

This feature addresses scalability requirements in environments with large-scale analytics, prevents backend overload, and supports use cases such as GNPSI and high-volume flow export.

Table 8. Feature History Table

Feature Name

Release Information

Feature Description

Increased sampling interval support for NetFlow and sFlow

Release

Introduced in this release on: Fixed Systems (8200 [ASIC: Q200, P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]);Centralized Systems (8600 [ASIC:Q200]) ; Modular Systems (8800 [LC ASIC: K100)]

You can now significantly reduce analytics and collector load by setting much higher NetFlow or sFlow sampling intervals by up to one out of 8 million packets. Just configure your desired interval, and we automatically combine hardware sampling and software filtering to achieve this rate, ensuring accurate exports and minimal resource usage while keeping setup simple.

Sampling interval characteristics and platform support

The increased sampling interval support extends flow monitoring scalability and changes the operational limits for sampling intervals on platforms with the feature enabled.

Key supported attributes include:

  • Sampling interval range (platform-dependent): Up to 8,000,000 packets on Cisco 8000 Series with feature enabled.

  • Automatic activation: The feature applies when configured interval exceeds hardware maximum (e.g., 262,143).

  • Software sampler: For intervals above hardware limit, software drops samples to achieve the desired effective interval.

  • Transparent configuration: Operators specify a single interval; hardware-software split is internal.

Revision History

Table 9. Feature History Table

Feature Name

Release Introduced

Description

System Alerts with sFlow

 Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
System Alerts with sFlow Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

The syslog notifications with sFlow are now available on the following hardware.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

System alerts related to sFlow

Release 7.5.3

The following syslog notifications are available with sFlow:

  • FLOW_SAMPLES_DROPPED - This alert is seen whenever the buffer becomes full with sampled flow data, either due to a high sampling rate or an increase in the traffic rate.

  • FLOW_SAMPLES_DROPPING_STOPPED - This alert is seen when the buffer reverts to its regular state.

  • BUFFER_SIZE_EXCEEDED - This alert signals that the flow monitor buffer has reached its capacity with sampled flow data, which could be a result of a low export rate limit or a high sampling rate.

  • BUFFER_EXCEEDING_STOPPED - This alert is seen when the flow monitor buffer reverts to its regular state.

Ingress sFlow enhancements

 Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

This feature is now supported on:

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D
Ingress sFlow enhancements Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Ingress sFlow enhancements Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

The Ingress sFlow enhancements added in Cisco IOS XR Release 7.3.3 now apply to the following hardware thus ensuring improved scalability and decreased volume of packets received.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Ingress sFlow enhancements

Release 7.3.3

The incoming sFlow packet offers the following enhancements to improve scalability and decrease the volume of packets received:

  • Expansion of sFlow datagram size—from 1500B to 9KB

  • Tunnel encapsulation—The packet header now supports an extended structure encompassing tunnel header information. The egress packet extracts the tunnel information during decapsulation.

  • sFlow collector indicates discarded packets and locally targeted packets at the output interfaces, in a specific format along with drop value.

sFlow on L2 interfaces Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
sFlow on L2 interfaces Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

sFlow support on L2 interfaces is now extended on the following hardware to ensure efficient traffic monitoring on your network.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

sFlow for L2 interfaces

Release 7.3.1

Ingress sFlow on an L2 interface is introduced. Support for sFlow existed in earlier releases.
Sampled flow Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Sampled flow Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

This feature is now supported on the following hardware thus allowing to monitor real-time traffic in your data networks and forward the sample data to the central data collector using the sampling mechanism in the sFlow agent software.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH
Flow monitoring on Egress Interface Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Flow monitoring on Egress Interface Release 24.1.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

You can now get precise insights into encapsulated and decapsulated data, prioritize critical outbound traffic, and ensure implementation of security measures. This is accomplished by activating egress flow monitoring on outbound interfaces within your network using sFlow.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Sampled flow

Release 7.2.12

Sampled flow (sFlow) allows you to monitor real-time traffic in data networks. It uses sampling mechanism in the sFlow agent software to monitor traffic and to forward the sample data to the central data collector.