sFlow Configuration for Traffic Monitoring and Analysis

This page helps you with information about the key concepts, advantages and limitations of sFlow, and steps to configure sFlow on your router.

sFlow Essential Concepts and Terms

This section helps you get familiar with the sFlow key terms and concepts:

  • Data source: Location within a network device that can make traffic measurements. Examples are physical interfaces, VLANs.

  • Flow: A Flow is defined as a set of IP packets passing a network device in the network during a certain time interval. All packets that belong to a particular Flow have a set of common properties derived from the data contained in the packet.

  • Flow record: A Flow record is a set of key and non-key sFlow field values used to characterize flows. This record is created by inspecting packet headers and adding a description of packet information.

  • sFlow agent: Entity inside the network device responsible for maintaining sFlow configuration, gathering the sampled flow and counters from one or more data sources in the router, packaging them in sFlow datagram format, and exporting them to the sFlow collector.

  • sFlow collector: Application that receives the sFlow datagrams from one or more agents to perform further analysis and generate reports. The collector is external to the router.

  • Sampling rate: Frequency that specifies how often packet sampling is performed, and determines how many packets (on average) that pass through the data source to generate a flow sample. A value of 100 means that on average, 1 out of 100 packets is randomly sampled to be exported.

  • Sampling interval: Period at which counters will be polled for populating the counter sample in the sFlow datagram.

  • sFlow datagram: User Datagram Protocol (UDP) datagram exported from sFlow agent to collector. The datagram contains information about the data source, one or more flow samples, and one or more counter samples.

  • Collector address: IP and UDP port number. The default destination port number is 6343.

Flow Monitoring on Egress Interface

Table 1. Feature History Table

Feature Name

Release Introduced

Description

Flow monitoring on Egress Interface

Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on:

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D

Flow monitoring on Egress Interface

 Release 24.1.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

You can now get precise insights into encapsulated and decapsulated data, prioritize critical outbound traffic, and ensure implementation of security measures. This is accomplished by activating egress flow monitoring on outbound interfaces within your network using sFlow.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Egress Interface Flow Monitoring enhances network visibility and control by prioritizing outbound traffic. This capability offers advanced monitoring and management of data exiting the network, providing a more comprehensive understanding of network dynamics. The key focus of this feature is to monitor packets that are either encapsulated or decapsulated through egress sFlow.

Encapsulated and decapsulated data monitoring in sFlow serves a crucial role in safeguarding sensitive information transmitted across the network. The process involves encapsulating data with an additional layer of information, enabling verification of its authenticity and integrity. This added layer makes it challenging for attackers to intercept or modify data during transmission. Conversely, decapsulation entails removing the encapsulated data layer, empowering network devices to analyze the information and take appropriate actions in real-time. This proactive approach aids in identifying and preventing attacks or anomalies, enhancing the overall security of the network.

How sFlow works

sFlow, a monitoring technology, operates by sampling data network traffic in real-time. However, it's important to note that sFlow doesn't encompass all network traffic, unlike Netflow.

In the context of traffic monitoring, sFlow functions by disaggregating the flow pipeline. Devices within the network stream packet headers and metadata, which are subsequently transmitted as UDP datagrams to an external collector. This collector deciphers the packets and creates flow records. A notable feature of sFlow is its capability to export this data promptly, facilitating the creation of a near real-time representation of network traffic by the collector.

The advantage of this real-time traffic analysis is its ability monitor patterns and trends within the network, facilitate the automation of traffic engineering, and aid in making well-informed decisions when planning network capacity.

Recording of Packet Flows in sFlow

The packet in sFlow is recorded as follows:

Figure 1. Packet Flows in sFlow
Recording flow of packets using sFlow technology Sampling Datagram Generation Data Export Analysis and Reporting

In sFlow, the focus is on collecting sampled network traffic data rather than recording full packet flows. sFlow is designed to provide a statistical overview of network traffic by sampling packets and extracting relevant information for analysis.

Here's how sFlow handles the recording of packet flows:

  1. Sampling: sFlow agent process in network devices sample packets based on a configured sampling rate. The sampling rate determines the percentage of packets that will be selected for analysis. For example, a sampling rate of 1-in-100 means that 1% of the packets will be sampled.

  2. Datagram Generation: The sFlow agent generates datagrams that contain information about the sampled packets. These datagrams include details such as packet header, sampling rate, port numbers, protocol information, and various flow statistics.

  3. Data Export: The sFlow datagrams are periodically exported from the sFlow agent to a designated sFlow collector or analyzer. The export can be done using protocols like UDP or TCP, and the datagrams are typically sent in a structured format like XDR.

  4. Analysis and Reporting: Upon receiving the sFlow data, the sFlow collector or analyzer processes and analyzes the information. It aggregates the sampled data to provide statistical insights into network traffic, including top talkers, protocol distribution, traffic patterns, and other metrics.

sFlow Export with ECMP Load Balancing

Table 2. Feature History Table

Feature Name

Release Information

Feature Description

sFlow Export with ECMP Load Balancing

 Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on the Cisco 8011-32Y8L2H2FH routers.

sFlow Export with ECMP Load Balancing

 Release 25.1.1

Introduced in this release on: Fixed Systems (8700 [ASIC: P100]), 8010 [ASIC: A100])(select variants only*)

This feature is now supported on:

  • 8712-MOD-M

  • 8011-4G24Y4H-I

sFlow Export with ECMP Load Balancing

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

You can now achieve sFlow packet load balancing across all ECMP paths to the collector. This feature utilizes pre-routing to gather nexthop interface and IP details for each packet, ensuring uniform distribution. By actively utilizing all paths, it provides more effective load balancing and improved network performance while maintaining path tracking.

The feature introduces these changes:

CLI:

  • The flow exporter-map command is modified to include the pre-route and all-ecmp-paths keywords.

*This feature is supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

The sFlow ECMP Load Balancing feature enhances network routing by allowing routers to distribute sFlow packets across all available Equal-Cost Multi-Path (ECMP) routes to the sFlow collector.

The existing solution uses source-port entropy in the sFlow export UDP packets, introduced in IOS-XR software release 7.5.4, but it lacked the ability to track specific paths due to limited visibility of the outgoing interface. This new feature addresses these limitations by providing a pre-routing option, which gathers detailed nexthop information, including the output interface and nexthop IP address, for each packet. By actively utilizing all ECMP paths, the feature ensures efficient and uniform packet distribution, thereby improving routing performance, reliability, and network efficiency.

Benefits of ECMP Load Balancing

ECMP Load Balancing offers several key benefits:

  • Uniform Distribution: Ensures even distribution of sFlow packets across all available paths, optimizing load balancing.

  • Enhanced Visibility: Provides visibility into the nexthop details, overcoming the limitations of previous methods that lacked path tracking.

  • Improved Performance: Actively uses all ECMP paths, enhancing network efficiency without compromising path tracking.

Mirror and stream drop packets using SPAN and sFlow

Table 3. Feature History Table

Feature Name

Release Information

Feature Description

Mirror and stream drop traps using SPAN and sFlow

 Release 25.2.1

Introduced in this release on: Modular Systems (8800 [LC ASIC: P100])

The forwarding dropped trap feature enables system-generated notifications to be mirrored and forwarded to an sFlow collector when packets are dropped during the forwarding process. By leveraging SPAN and sFlow, this feature provides valuable insights into potential network issues and enhances network traffic monitoring and analysis by leveraging SPAN and sFlow.

Mirror and stream drop packets using SPAN and sFlow

Release 25.1.1

Introduced in this release on: Modular Systems (8800 [LC ASIC: P100])

sFlow now supports buffer drop and forward-drop streaming, enhancing its capability to capture packets dropped by the Traffic Management (TM) buffer when full. This feature allows streaming of mirrored copies of these packets using SPAN, ensuring effective traffic monitoring even during process restarts or network failovers. Additionally, it mirrors forward-drop packets to capture and analyze packets dropped at router ingress, aiding in understanding blocked traffic types, identifying potential security threats, and optimizing network performance.

The feature introduces these changes:

CLI:

Mirror and stream drop packets using SPAN and sFlow

Starting from IOS-XR software release 25.1.1, the Mirror and Stream Dropped Packets using SPAN and sFlow feature enables the export of dropped packets using sFlow encapsulation. These packets are forwarded to an sFlow collector for in-depth analysis, alongside regular sFlow sampled packets. Differentiation is achieved using distinct UDP ports.

Key capabilities introduced by this feature include:

  • Extends existing SPAN-based mirroring to support dropped packet streaming via sFlow.

  • Uses distinct UDP ports to differentiate dropped and regular sFlow traffic.

  • Extends SPAN functionality to support dropped packet streaming.

  • Supports coexistence with regular sFlow traffic using separate exporter maps.

For more details about traffic mirroring feature, refer to the Configure Traffic Mirroring chapter in the Interface and Hardware Component Configuration Guide for Cisco 8000 Series Routers.

Mirror and stream drop traps using SPAN and sFlow

Starting from IOS-XR software release 25.2.1, the Mirror and Stream Drop Traps using SPAN and sFlow feature enables the export of forward-drop traps using sFlow encapsulation. A trap refers to a system-detected event where a packet is dropped due to specific conditions such as ACL denies, TTL expiry, or protocol violations. These dropped packets are encapsulated and streamed to an sFlow collector for real-time diagnostics and analysis.

  • Provides real-time visibility into dropped traps.

  • Uses sFlow encapsulation to export drop traps to collectors.

Types of drop packets

  • Buffer drop packets: Buffer drop packets occur when the Traffic Management (TM) buffer reaches capacity and begins to drop incoming packets. This typically happens due to network congestion when the incoming traffic rate exceeds the buffer's processing capacity. The following scenarios lead to buffer drops:

    • TM_EXACT_METER_DROP: Occurs when the router drops packets because the incoming traffic rate exceeds the configured policer rate on the ingress interface.

    • TM_STATISTICAL_METER_DROP: Occurs when traffic is sent at a 100% line rate on an ingress interface, leading to packet drops.

  • Forward drop packets: Forward drop packets are dropped during the forwarding process at the router ingress. This can occur due to several reasons, including:

    • L3_IP_MC_PUNT_RPF_FAIL: Occurs when an IP multicast RPF check fails.

    • L3_ACL_FORCE_PUNT: Occurs when layer 3 egress security measures or UDF ACLs are configured to punt packets to the host.

    • L3_GLEAN_ADJ: Packet drops during glean adjacency occurs when a router needs to forward packets but must first perform Address Resolution Protocol (ARP) resolution to obtain the next-hop MAC address

    • L3_DROP_ADJ: Occurs when packets are dropped due to an inject up layer 3 lookup failure.

    • L3_TTL_OR_HOP_LIMIT_IS_ONE: Pertains to packets that have a Time-To-Live (TTL) or hop count of 1. These packets are typically dropped to prevent them from circulating indefinitely within the network, adhering to the principles of loop prevention.

    • OAMP_BFD_MISMATCH_DISCR: Occurs when there is a mismatch in the Bidirectional Forwarding Detection (BFD) session discriminator.

Starting from IOS-XR software release 25.2.1, the number of supported trap events has increased. Use the command show controllers npu stats traps-all instance all local to view them. The traps punted by the NPU are marked as (D*) and are supported.

Prerequisite for drop packet streaming

The following prerequisites must be met to utilize the stream dropped packets using sFlow.

  • Transition to sFlow: Devices using NetFlow or IPFIX must transition to sFlow for regular sampling before utilizing the dropped packet feature, ensuring compatibility and consistency in data analysis.

  • Collector configuration: A unified sFlow collector must be configured to handle both regular and dropped packet flows, utilizing different UDP ports to distinguish between the two streams.

Benefits of drop packet streaming

  • Captures and forwards dropped packets to an sFlow collector, providing detailed insights.

  • Comprehensive Analysis: Allows for simultaneous analysis of regular and dropped packet flows, offering a holistic view.

  • Troubleshooting: Empowers network administrators to effectively identify and resolve issues, reducing downtime and enhancing performance.

Guidelines for Mirroring and Streaming Drop Packets

Configuration Best Practices

Use SPAN and sFlow to mirror dropped packets and traps for real time visibility and diagnostics to ensure that packet loss events are both observable and actionable

  • Use a dedicated exporter map for drop traffic.

  • Configure only one drop sFlow session per system to maintain export integrity.

  • Use distinct UDP ports to differentiate drop traffic from regular sFlow exports.

  • Do not modify DSCP marking for drop exports; it is fixed at 0.

  • Ensure the export rate does not exceed 540 packets per second to avoid performance degradation.

System and Hardware Limitations

  • System Support: Certain features like INJECT_UP_L3_LOOKUP_FAIL packet export are only supported on fixed systems, not modular ones.

  • ASIC Support: TM_EXACT_METER_DROP is supported only on Q200 ASIC-based systems, excluding P100 ASIC-based systems.

  • Session Limitations:

    • Only one global forward-drop session and one TM buffer drop session are supported for file (SPAN-to-file sessions), GRE (ERSPAN) tunnel interface, and sFlow destinations.

    • GRE tunnel interfaces and sFlow destinations cannot be configured together; they are mutually exclusive.

    • You cannot configure reachability for GRE and sFlow destinations through management interfaces.

  • ERSPAN Limitations: Default encapsulation traffic class value is 0 for buffer and forward-drop packets, and ERSPAN counters are not updated for these packets.

  • sFlow export: Drops resulting from inject packets (packets originating from the router) are not exported via the sFlow export facility.

These guidelines help maintain consistent monitoring, reduce configuration errors, and ensure dropped packets are captured and analyzed effectively.

Set DSCP value to mirror forward or drop packets through sFlow

Table 4. Feature History Table
Feature Name Release Information Feature Description
DSCP support for mirroring of forward and drop packets through sFlow Release 25.4.1

Introduced in this release on: Modular Systems (8800 [LC ASIC: P100])

You can now configure the DSCP value as part of the flow exporter configuration. The DSCP value is set using the dscp command in the flow exporter-map configuration. This allows marking of packets during export, including forwarded or dropped packets through sFlow. This feature helps in traffic management and monitoring capabilities.

Procedure

Set DSCP value in the flow exporter map configuration.

Example:


flow exporter-map fem
 version sflow v5
 !
 dscp 38
 source HundredGigE0/0/0/18
 destination 101.35.0.2
!

sFlow parameters and default values

Table 5. Feature History Table

Feature Name

Release Information

Feature Description

Increased sFlow sample-header size

 Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Increased sFlow sample-header size Release 24.4.1

Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*).

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH
Increased sFlow sample-header size Release 7.3.4

You can now increase the sFlow sampling size to 343 bytes of the incoming or outgoing packet header. This enhancement lets the router export a larger sample to the flow-analyzer tool, enabling the tool to provide more accurate network analytics.

In earlier releases, you could configure up to 200 bytes.

The following table lists the sFlow parameters and default values that you can use when configuring sFlow on the router:

Table 6. sFlow Parameters and Default Values

Parameter

Value

Command

Sampling rate

Default value: 1 out of 10000 packets

sampler-map

Sample header size

128 - 343 bytes (from Cisco IOS XR Release 7.3.4 onwards)

128 - 200 bytes (prior to Cisco IOS XR Release 7.3.4)

Default value: 128 bytes

flow monitor-map

Counter poll interval

5-1800 seconds

Default value: None

flow monitor-map

Collector port

Configurable. Default value: 6343

flow exporter-map

sFlow Sampling

The following methods are used in sFlow for capturing and analyzing network traffic:

  • Counter Sampling: In the counter sampling method, only specific counters or statistics are sampled and collected for analysis. Instead of capturing and analyzing packets or flows, counter sampling focuses on monitoring and collecting information about specific network metrics or performance indicators. These metrics can include interface utilization, packet drops, CPU usage, memory usage, and other relevant statistics. Counter sampling provides a high-level view of network health and performance without the need to capture and analyze every single packet.

  • Flow Sampling: Flow sampling, on the other hand, involves capturing and analyzing sampled network flows. A flow can be defined as a sequence of packets that share common attributes, such as source and destination IP addresses, port numbers, and protocol information. Flow sampling selects a subset of these flows for analysis. By capturing and analyzing flows, you can gain insights into traffic patterns, detect anomalies, and monitor performance. Flow sampling allows for more granular analysis of network traffic compared to counter sampling.

You can choose the method depending on the specific monitoring needs and objectives of the network.

Configure sFlow

This page explains how to configure sFlow for monitor network traffic using sampled data.

sFlow Guidelines and Limitations

General

  • When egress sFlow is enabled, the Layer 2 information of ingress packets is captured instead of the egress interface. This behavior is not supported on the 88-LC1-12TH24FH-E and 88-LC1-52Y8H-EM line cards.

  • sFlow samples are combined into UDP packets and forwarded to sFlow collectors for analysis. It's important to note that UDP, being a connectionless protocol, doesn't ensure the delivery of data. Consequently, utilizing sFlow as a flow source could potentially lead to inaccurate representations of traffic volumes, bidirectional flows, and a reduction in alerting capabilities.

  • Only one sampler configuration per router is allowed.

  • A sampling interval of 1 out of 262,144 packets as the maximum is supported.

  • Only one active sampler per router is supported. Multiple sampler maps that are not used in flow configuration are allowed.

Flow Exporter

  • When sFlow is on a bundle with members located on different Line Cards (LCs), flows are exported with the same ifindex id for the bundle interface. However, they possess distinct sub-agent ids and sequence numbers.

  • A maximum of 8 export destinations per monitor map for both IPv4 and IPv6 are allowed.

Flow Monitor

  • Ingress sFlow is supported on Cisco 8200 and Cisco 8800 Series Routers.

  • Egress sFlow is supported only on Cisco 8200 Series Routers.

Interfaces

  • L3 interfaces, L3 bundle interfaces, L3 sub-interfaces, L3 bundle sub-interfaces, and L3 BVI interfaces are supported.

  • Up to 2000 L3 interfaces are supported.

  • Tunnel and Ethernet PseudoWire (PW) interfaces are not supported.

  • ARP, multicast, broadcast, and IP-in-IP packets are excluded from the sampling process.

Loadbalance sFlow Traffic

  • Cisco 8000 modular routers do not load balance sFlow traffic across multiple ECMP paths. When more than one path is available, the router selects only one. Typically, sending sFlow traffic over a single path is sufficient, and load balancing isn't necessary.

    To enable load balancing across all ECMP paths, configure the router to use multiple UDP source ports for sFlow export packets. This method, known as "source-port entropy," uses a hashing-based algorithm to select paths, resulting in multiple ECMP paths being used. This approach does not provide statistics on the number of sFlow packets per path, as the sFlow process does not know the outgoing interface used. To configure multiple source ports, use the transport udp source-port multiple command.

Configuring sFlow

To enable this monitoring, it is necessary to configure the sFlow agent to use a sampling mechanism, forwarding traffic data from both ingress and egress ports to a centralized data collector, also referred to as the sFlow analyzer. The sampled data is forwarded using the version 5 export format. You'll find instructions for configuring sFlow on the router in the following section. Let's use the following topology as a reference for configuring sFlow.

Figure 2. sFlow Configuration
Configuring sFlow for traffic monitoring

Procedure

Step 1

First, let's gather the required details to enable sFlow on a router:

  • The IP address of the source : 2001:db8::0001

  • The IP address of the sFlow Collector (Destination address): 2001:db8::0002

  • Interface of the router where we will enable sFlow: HundredGigE 0/0/0/24

  • sFlow version used to transport the data to the collector: version 5

Step 2

Configure the Flow Exporter using the flow flow exporter-map command to specify where and how the packets should be exported.

The following attributes can be configured while creating exporter map:

  • Export destination IP address (IPv4 or IPv6 address). The same packets can be exported to multiple IPv4 or IPv6 destinations.

  • DSCP value

  • Source interface and its IP address

  • Transport protocol

  • UDP port number, where the collector listens to the packets

  • Maximum datagram length

  • Don't Fragment bit (DF-bit). The DF-bit within the IP header is supported only on IPv4 transport and determines whether the router is allowed to fragment a packet.

In this example, you create an exporter map called EXP-MAP to export the IPv4 packets to the destination address 192.127.10.1 using the UDP transport protocol:
Router(config)#flow exporter-map EXP-MAP
Router(config-fem)#version sflow v5
Router(config-fem)#packet-length 9000
Router(config-fem)#transport udp 6343
Router(config-fem)#source HundredGigE 0/0/0/1
Router(config-fem)#source-address 192.127.10.1
Router(config-fem)#destination 192.127.0.1
Router(config-fem)#dfbit set
  • ECMP Load Balancing:

    In this example, you configure ECMP load balancing option for sFlow.

    Router(config)#flow exporter-map EXP-MAP
Router(config-fem)# pre-route all-ecmp-paths
Router(config-fem-pre-route)# all-ecmp-paths
  • Stream Dropped Packets:

    In this example, you configure forward-drop using SPAN on sFlow.

    Router(config)#monitor-session mon1 ethernet 
Router(config)#destination sflow exporter-map-name fem 
Router(config)#drops
!
Router(config)#flow exporter-map fem 
Router(config)#version sflow v5
!

Verify the Flow Exporter configuration using the show flow exporter-map command. 

Router#show flow exporter-map EXP-MAP
Flow Exporter Map : EXP-MAP
-------------------------------------------------
Id                  : 1
Packet-Length       : 9000
DestinationIpAddr   : 192.127.0.1
VRFName             : default
SourceIfName        : HundredGigE 0/0/0/3
SourceIpAddr        : 192.127.10.1
DSCP                : 0
TransportProtocol   : UDP
TransportDestPort   : 6343

Export Version      : sFlow v5

The Export Version: sFlow v5 indicates that the exporter map configuration is successful.

  • Verifying ECMP Load Balancing:
    Router#show flow exporter-map EXP-MAP pre-route path-index all location 0/0/CPU0
---------------------------------------------------
Wed Dec  4 21:59:15.659 UTC

Exporter: EXP-MAP

  Pre-route enabled: True

    Enabled as default: False

    Enabled in configuration: True

    Platform capability: True

    All ecmp paths: True

    Statistics:

      Packets handled: 92

      Packets not handled: 1

    Current Path list information:

      Reset time: 2024:12:04 21:53:07 UTC

      Path count:1

      Path index:0

        Path context:

          Nexthop Information:

            Output Interface Handle: 0x138

            Output Interface Name: FourHundredGigE0/0/0/1

            Nexthop-address: 30.0.0.2

          Statistics:

            Packets sent: 92

            Last Packet Sequence number: 92
  • Verifying Dropped Packet Streaming:
    Router(config)#show monitor-session status    
Mon Dec 16 03:29:58.569 UTC
Monitor-session mon1
Destination sFlow - fem
================================================================================
SW Mirrored Packet type  Dir
------------------------ ------
All drops                Rx, Tx


Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------

Monitor-session default_monitor_session
Destination File - Packet collecting (always-on)
  Periodic write interval: 86400 seconds
  Maximum periodic capture capacity: 1GB
================================================================================
SW Mirrored Packet type  Dir
------------------------ ------
Packet-processing drops  Rx    
Traffic-management drops Rx    


Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------

Step 3

Configure the Flow Sampler using sampler-map sampler-map command to define the sampling rate for flow samples, which determines how many packets (on average) that pass through the data source will generate a flow sample.

In this example, you create a sampler map called SAMP-MAP to sample 1 out of every 4096 packets.
Router(config)#sampler-map SAMP-MAP​
Router(config-sm)#random 1 out-of 4096​

Verify the sampler map configuration using the show sampler-map command. 

Router#show sampler-map SAMP-MAP
Sampler Map : SAMP-MAP
-------------------------------------------------
Id:         1
Mode:       Random (1 out of 4096 Pkts)

In this example, the sampler map configuration is successful with a sample rate of 1 out of every 4096 packets.

Step 4

Configure the Flow Monitor using flow monitor-map command to define the type of traffic to be monitored and the polling frequency. You can include one or more exporter maps in the monitor map.

In this example, you create a monitor map called MON-MAP and include the exporter map EXP-MAP to record sFlow data at a polling interval of 120 seconds:
Router(config)#flow monitor-map MON-MAP
Router(config-fmm)#record sflow
Router(config-fmm)#sflow options
Router(config-fmm-sflow)#extended-router
Router(config-fmm-sflow)#extended-gateway
Router(config-fmm-sflow)#if-counters polling-interval 120
Router(config-fmm-sflow)#input ifindex physical
Router(config-fmm-sflow)#output ifindex physical
Router(config-fmm-sflow)#sample-header size 200
Router(config-fmm-sflow)#exporter EXP-MAP

You can export input and ouput interface handles if the ingress or egress interface is a bundle or a Bridge-Group Virtual Interface (BVI).

Verify the monitor map configuration using the show flow monitor-map command. 

Router#show flow monitor-map MON-MAP

Flow Monitor Map : MON-MAP
-------------------------------------------------
Id:                2
RecordMapName:     sflow
ExportMapName:     EXP-MAP
ExtendedRouter:    Enabled
ExtendedGateway:   Enabled
InterfaceCounters: Enabled 
PollingInterval:   30 seconds
SampledHeaderSize: 200

Input ifhandle physical
Output ifhandle physical

In this example, the monitor map is configured successfully with the associated exporter map to monitor the interface counters at a polling interval of 30 seconds.

Step 5

Apply sFlow on an interface using flow datalinkframesection command in Global Configuration mode.

In this example, you apply the monitor map MON-MAP and the sampler map SAMP-MAP on the HundredGigE 0/0/0/3 interface in the ingress direction to monitor the incoming packets:
Router(config)#interface HundredGigE 0/0/0/3
Router(config)#ipv4 address 192.127.0.56 255.255.255.0
Router(config)#ipv6 address FFF2:8:DE::56/64
Router(config)#flow datalinkframesection monitor-map MON-MAP sampler SAMP-MAP ingress

Step 6

Enable sFlow on the RP (0/RP0/CPU0) or on the line card using hw-module profile netflow sflow-enable command. 

Router(config)#hw-module profile netflow sflow-enable location 0/0/CPU0

Step 7

Reload the line card using hw-module reset auto command. 

Router#reload location 0/0/CPU0

With this configuration, sFlow is enabled on the line card.

Step 8

Verify the statistics of exported traffic flow at the producer and exporter using show flow platform producer statistics location and show flow exporter commands.

Producer: 
Router#show flow platform producer statistics location 0/0/CPU0
Netflow Platform Producer Counters:
IPv4 Ingress Packets:                        0
IPv4 Egress Packets:                         0
IPv6 Ingress Packets:                        0
IPv6 Egress Packets:                         0
MPLS Ingress Packets:                        0
MPLS Egress Packets:                         0
IPFIX315 Ingress Packets:                    0
IPFIX315 Egress Packets:                     0
sFlow Ingress Samples:                  100000
Drops (no space):                            0
Drops (other):                               0
Unknown Ingress Packets:                     0
Unknown Egress Packets:                      0
Worker waiting:                              0

Exporter:

Router#show flow exporter EXP-MAP location 0/0/CPU0 
Wed June 21 04:21:36.263 UTC
Flow Exporter: EXP-MAP 
Export Protocol: sFlow v5 
Flow Exporter memory usage: 5247776
Used by flow monitors: MON-MAP

Status: Normal
Transport:   UDP
Destination: 192.127.0.1     (6343) VRF default
Source:      192.127.10.1    (6331)
Flows exported:                               50245 (9631004 bytes)
Flows dropped:                                    0 (0 bytes)

Packets exported:                              7372 (19262008 bytes)
Packets dropped:                                  0 (0 bytes)

Total export over last interval of:
  1 hour:                                      7363 pkts
                                            9629960 bytes
                                              50236 flows
  1 minute:                                      12 pkts
                                               1392 bytes
                                                 12 flows
  1 second:                                       0 pkts
                                                  0 bytes
                                                  0 flows

The sFlow configuration with flow and packet data is successful on the router.

What to do next

Analyze the traffic using the UDP datagram and sampled data collected at the sFlow collector.

This image shows an example of sampled data that has been collected at the sFlow collector.

Revision History

Table 7. Feature History Table

Feature Name

Release Introduced

Description

System Alerts with sFlow

 Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
System Alerts with sFlow Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

The syslog notifications with sFlow are now available on the following hardware.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

System alerts related to sFlow

Release 7.5.3

The following syslog notifications are available with sFlow:

  • FLOW_SAMPLES_DROPPED - This alert is seen whenever the buffer becomes full with sampled flow data, either due to a high sampling rate or an increase in the traffic rate.

  • FLOW_SAMPLES_DROPPING_STOPPED - This alert is seen when the buffer reverts to its regular state.

  • BUFFER_SIZE_EXCEEDED - This alert signals that the flow monitor buffer has reached its capacity with sampled flow data, which could be a result of a low export rate limit or a high sampling rate.

  • BUFFER_EXCEEDING_STOPPED - This alert is seen when the flow monitor buffer reverts to its regular state.

Ingress sFlow enhancements

 Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

This feature is now supported on:

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D
Ingress sFlow enhancements Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Ingress sFlow enhancements Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

The Ingress sFlow enhancements added in Cisco IOS XR Release 7.3.3 now apply to the following hardware thus ensuring improved scalability and decreased volume of packets received.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Ingress sFlow enhancements

Release 7.3.3

The incoming sFlow packet offers the following enhancements to improve scalability and decrease the volume of packets received:

  • Expansion of sFlow datagram size—from 1500B to 9KB

  • Tunnel encapsulation—The packet header now supports an extended structure encompassing tunnel header information. The egress packet extracts the tunnel information during decapsulation.

  • sFlow collector indicates discarded packets and locally targeted packets at the output interfaces, in a specific format along with drop value.

sFlow on L2 interfaces Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
sFlow on L2 interfaces Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

sFlow support on L2 interfaces is now extended on the following hardware to ensure efficient traffic monitoring on your network.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

sFlow for L2 interfaces

Release 7.3.1

Ingress sFlow on an L2 interface is introduced. Support for sFlow existed in earlier releases.
Sampled flow Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Sampled flow Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

This feature is now supported on the following hardware thus allowing to monitor real-time traffic in your data networks and forward the sample data to the central data collector using the sampling mechanism in the sFlow agent software.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH
Flow monitoring on Egress Interface Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])

This feature is now supported on:

  • 8011-4G24Y4H-I
Flow monitoring on Egress Interface Release 24.1.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

You can now get precise insights into encapsulated and decapsulated data, prioritize critical outbound traffic, and ensure implementation of security measures. This is accomplished by activating egress flow monitoring on outbound interfaces within your network using sFlow.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

Sampled flow

Release 7.2.12

Sampled flow (sFlow) allows you to monitor real-time traffic in data networks. It uses sampling mechanism in the sFlow agent software to monitor traffic and to forward the sample data to the central data collector.