![]() |
SYSTEM ADMINISTRATOR GUIDE 78/1543-CRA 119 1170/1-V1 Uen B | ![]() |
Copyright
© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson |
This document describes the SmartEdge® RFlow application.
Redback Flow (RFlow) runs on the SmartEdge router and is used to collect IP traffic information. The traffic information is compiled in a record that contains a variety of information about the traffic in a flow. This flow record helps you to understand data traffic in your network so you can optimize the following:
RFlow comprises the following three main components:
RFlow is not supported on the following controller cards:
Exporting flow records can require significant bandwidth. Ericsson recommends directly attaching the external collector to one of the following:
A flow admission control (FAC) profile is required for RFlow to function properly. If a preexisting FAC profile is attached to a circuit where RFlow is enabled, then the FAC profile is used for RFlow provisioning. If there is no FAC profile applied to a circuit, then the default FAC profile is automatically applied to that circuit. For more information about FAC profiles, see Configuring Flow Admission Control.
A flow is a sequence of IP packets with common properties that traverse a specific reference point on a network during a specific interval. The reference point is called an RFlow observation domain, and the common properties used to define a flow are called key fields. The key fields are fixed and cannot be changed when exported in V5 format. The following key fields are used to capture the packets in a flow:
Packets with header values that match the key fields are considered part of the same flow. A packet is considered part of a different flow if any one of the key field values does not match that of the other packets in a flow.
An RFlow observation domain is made up of a set of bound interface circuits that are located on traffic cards. When a flow passes through the observation domain, information is collected for that flow until the flow expires because the inactive or active time-out period passes or the aggregation cache is full. When the flow expires, the information collected from the flow is exported to a record on an external collector. You can then use the information in the record to manage and optimize the network.
The traffic cards monitor flows on circuits where RFlow is enabled and configured. You can enable RFlow on a circuit by applying an a RFlow profile. Once RFlow is enabled, the flow life cycle is as follows:
For more information about Level 1 and Level 2 caches, see Data Collection in RFlow Caches.
Rflow consists of the following objects, which are discussed in detail in this document:
Defining application lists allows you to classify the IP traffic that is being sent over the SmartEdge router, for example Telnet, FTP, HTTP, SMTP, and BGP. Applications, based on IP protocol number and port number, may be defined within these application lists, providing the flexibility in the definition of the applications you want to monitor.
For every IP protocol, the following statistics per application are displayed:
The RFlow configuration process consists of the following main steps:
Before being able to enable RFlow features to collect meaningful data on flows that you are interested in monitoring, you can define application lists and the global sampling interval.
You enable RFlow on an individual circuit by creating an RFlow profile and then applying that RFlow profile to the desired circuit. An individual circuit can support a single profile only, but the same profile can be applied to multiple circuits. A circuit must be bound to an IP interface for RFlow to operate properly. RFlow is currently supported on the following types of bound circuits:
You configure an RFlow profile in global configuration mode, independent of any context. You can attach a single profile to multiple external collectors in different contexts.
You can configure the following fields in the RFlow profile:
The RFlow configuration process is described in detail in the Section 2 section.
The RFlow caches are databases that store RFlow information. Each RFlow profile has a cache attached to it. The caches store flow information until that flow is aged (expires). A flow is considered aged under the following circumstances:
There are two RFlow caches: the Level 1 cache and the Level 2 cache.
The Level 1 cache is on a traffic card and compiles the flow information into a flow record before the flow expires. The flow remains in the Level 1 cache until it is aged, after which it is sent to the Level 2 cache.
The Level 2 cache is on the XCRP Controller card. The Level 2 cache is organized as a hash table based on the key fields used to capture the packets in a flow. When the flow expires in the L2 cache, the flow record is exported to the external collector, from which you can access various types of flow information.
You can view RFlow data in the output using the show flow collector command.
If an external collector is configured for RFlow, then flow records are exported to that external collector when a flow is terminated in the Level 2 cache. The export entity uses Cisco Systems NetFlow export format version 5 (v5) to export flow records. In the export v5 format, RFlow flow records are made up of a header and a sequence of flow data fields.
Table 1 describes the flow header key fields supported in the v5 export format.
Field |
Description |
---|---|
version |
Export format used to send flow records to the external collector. In this release, only v5 formatting is supported. |
count |
Number of records in the PDU. |
sys-uptime |
Number of milliseconds that have passed since the router last booted. |
secs |
Number of seconds that have passed since 0000 Coordinated Universal Time (UTC) 1970, which is when the packet left the exporter. |
nsecs |
Number of residual nanoseconds that have passed since 0000 UTC 1970. |
flow_seq |
Sequence number maintained per external collector; represents the total number of flows received by the external collector. |
exp_id |
Unique identifier for the export source. |
Table 2 describes the flow record fields supported in the v5 export format.
Field |
Description |
---|---|
Source address |
Source IP address from which this flow originated. |
Destination Address |
Destination IP address for this flow. |
Nextop (ingress) |
IPv4 address of the next-hop BGP router. |
Input |
SNMP ifIndex where the packet is being exported to. |
Output |
SNMP ifIndex from which the packet is being exported. |
Packets |
Number of packets sent in a flow. |
Bytes |
Number of bytes sent in a flow. |
srcport |
Layer 4 source port number. |
dstport |
Layer 4 destination port number. |
pad1 |
Unused (zero) byte. |
TCP Flags |
Cumulative number of TCP flags. |
tos |
IP type-of-service byte. |
src_AS |
BGP autonomous system (AS) source address. |
dst_AS |
BGP AS destination address. |
Source mask (for ingress flows only) |
Source IPv4 mask address from which the packet was exported. |
Destination mask (for ingress flows only) |
Destination IPv4 mask address to which the packet is being exported. |
pad2 |
Number of unused (zero) bytes. |
An external collector is a server that assembles exported flows and aggregates them to produce reports used for traffic and security analysis. After the L2 cache compiles RFlow export data into a flow record, the export entity exports the record to one or more external collectors. Each external collector resides in a chosen location in the network and is independent of the SmartEdge router.
On the SmartEdge router, you must configure access to the external collector. An external collector can be accessed by any IP interface through which the destination IP address of the external collector can be reached. The IP address of the external collector and the port through which it is listening must also be configured on the ingress router so that the router knows where to export flow reports.
You configure SmartEdge router access to the external collector in an individual context. For redundancy, you can configure access to two or more external collectors in the same context.
A single external collector can have multiple RFlow profiles attached to it. An external collector can be attached to an RFlow profile that is attached to circuits that are bound to interfaces across multiple contexts.
To access the external collector, you must configure the following parameters:
Use the show flow ip cache dump command to view the flow records for the local SmartEdge router.
Before configuring RFlow, you must understand the differences between the following contexts:
To export the flow records to an external collector, you need to:
If an RFlow profile is attached to three circuits in three different contexts, then a collector receives flow records only from those circuits for which there is a collector configuration in the context of the flows. In other words, if the collector is configured in one context only, the external collector receives flow records only from the circuit that is configured in that same context, and not from the other two circuits because their flows are in different contexts.
In the following example, the profile p15 is applied to the circuit:
[local]Redback# configure [local]Redback(config)# port ethernet 7/1 [local]Redback(config-port)# bind interface if1_1 context ctx-blue [local]Redback(config-port)# flow apply ip profile p15 in [local]Redback(config-port)# exit [local]Redback(config)# port ethernet 4/3 [local]Redback(config-port)# bind interface if2_2 context ctx-red [local]Redback(config-port)# flow apply ip profile p15 in
In the next part of the example, an external collector called collect-blue is configured to receive flows from the circuit 7/1:
[local]Redback# configure [local]Redback(config)# context ctx-blue [local]Redback(config-ctx)# flow collector collect-blue [local]Redback)(config-flow-collector)# ip-address 10.12.209.8 context ctx-blue [local]Redback)(config-flow-collector)# ip profile p15
Even though the p15 RFlow profile is applied to circuits 7/1 and 4/3, the collect-blue collector only receives the flow records from circuit 7/1 because collect-blue was configured in the ctx-blue context.
Command modes exist in a hierarchy; that is, you must access the higher-level command mode before you can access a lower-level command mode in the same chain.
Figure 1 shows the hierarchy of the command modes used to configure RFlow features.
Table 3 lists the command modes (in alphabetical order) relevant to RFlow features. It includes the commands that enable access to each mode and the command-line prompt for each mode.
Mode Name |
Commands Used to Access |
Command-Line Prompt |
---|---|---|
context |
context command from global configuration mode |
(config-ctx)# |
dot1q PVC |
dot1q pvc command from port configuration mode |
(config-dot1q-pvc)# |
exec |
(user logon) |
# or > |
flow collector |
flow collector command from context configuration mode |
(config-flow-collector)# |
flow ip application-list |
flow ip application-list command from global configuration mode |
(config-flow-ip-app-list)# |
flow ip sampling |
flow ip sampling command from global configuration mode |
(config-flow-ip-sampling)# |
flow IP profile |
flow ip profile command from global configuration mode |
(config-flow-ip-profile)# |
flow ip application |
application command from the flow ip application-list configuration mode |
(config-flow-ip-application)# |
global |
configure command from exec mode |
(config)# |
port |
port ethernet command from global configuration mode |
(config-port)# |
link-group |
link-group command from global configuration mode |
(config-link-group)# |
subscriber |
subscriber command from global configuration mode |
(config-sub)# |
To configure RFlow, perform the following steps:
These tasks are described in detail in the sections that follow.
Be sure the following prerequisites are met before configuring RFlow on your router:
To define an application list, perform the tasks in Table 4.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Define a flow IP application list and enter an application list name. |
flow ip application-list application-list-name |
Replace the application-list-name with a name you want to call your application list . Your prompt will change to config-flow-ip-app-list. |
3. |
From the config-flow-ip-app-list mode, enter application and choose an application-name. |
application application-name |
The application name you choose will contain the IP protocol names and their protocol ID and port number information that you will provide as part of the next step. The tasks that follow will allow you to create multiple lists for statistical data collection on IP protocols. |
4. |
Configure a protocol. |
protocol |
— |
5. |
Configure a port number or a port number range, |
port port-number |
— |
6. |
Save the configuration. |
commit |
— |
To collect flow statistics based on random sampling, you can enable sampling on a global level.
To enable sampling, perform the tasks in Table 5. By default, sampling is disabled for every RFlow profile. To enable sampling for an RFlow profile, refer to Section 2.4.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
|
2. |
(Optional) Enter flow IP sampling configuration mode. |
flow ip sampling |
Your prompt will include config-flow-ip-sampling. |
3. |
Specify the packet interval. |
packet-interval packet-interval |
Replace packet-interval with the interval you want. The range for this interval is 1 to 16383 packets. |
4. |
Save the configuration. |
commit |
This section describes how to create and configure an RFlow profile using the default configuration values, as described in Table 6.
Parameter |
Default |
Command Used to Modify Default Setting |
---|---|---|
Active time-out setting for flows using the profile, in seconds |
1800 seconds (30 minutes) |
active-timeout |
Inactive time-out setting for flows using the profile, in seconds |
5 seconds |
inactive-timeout |
Maximum number of entries in the aggregation cache for flows that use a profile |
4096 |
aggregation-cache-size |
Application list that you will enable using this profile. |
No application summary statistics will be gathered. |
application-list |
Sampling that you will enable using this profile. |
Sampling will remain disabled |
sampling |
To create and configure an RFlow profile, perform the tasks in Table 7.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Create a flow IP profile and enter flow IP profile configuration mode. |
flow ip profile profile-name |
Replace profile-name with a name that identifies your IP profile. |
3. |
Save the configuration. |
commit |
— |
4. |
Verify your IP profile configuration. |
show flow ip profile and show flow ip profile profile-name |
Replace profile-name with the name of the RFlow profile you created in Step 2. |
To modify the default configuration in an RFlow profile, perform the tasks in Table 8.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Enter flow IP profile configuration mode for a specified IP profile. |
flow ip profile profile-name |
Replace profile-name with the name of the IP profile you want to modify. |
3. |
Configure the active time-out setting for flows that use this profile, in seconds. |
active-timeout timeout-value |
Replace the timeout-value argument with the number of seconds after which a flow is considered aged (expired) and a flow record is created and exported to the external collector. Range is from 15 to 1800 seconds. |
4. |
Configure the inactive time-out setting for flows that use this profile, in seconds. |
inactive-timeout timeout-value |
Replace the timeout-value argument with the number of seconds after which a flow which exceeds the time-out value you set for being inactive is considered aged (expired) and a flow record is created and exported to the external collector. Range is from 1 to 10 seconds. |
5 |
Configure aggregation cache size for flows that use this profile. |
aggregation-cache-size number-of-entries |
Replace number-of-entries with the maximum number of entries that can be stored in the aggregation cache at one time. This determines how much information is reported when the you access the RFlow data. Range is from 1024 through 32768 entries. To ensure optimal RFlow performance, we recommend setting the aggregation cache size to a number that is a power of 2; for example, 8192. |
6. |
(Optional) Enable the application list to gather IP protocol summary statistics. Specify the application list name that you defined at the global level. If no name is specified, the system default application list information will be displayed. |
application-list application list name |
Enable the application list so that you can gather summary statistics for the applications that you wish to monitor. RFlow will report application summary statistics per cache, since each cache will maintain its own set of application statistics. Application statistics will be maintained only if you enable the application list for this profile. If you do not enable application list, no application statistics will be gathered. |
7. |
(Optional) Enable sampling. |
sampling |
Sampling packet interval is defined at the global level. During profile configuration, you are merely enabling sampling. By default, sampling is disabled if you do not explicitly enable it. |
8. |
Save the configuration. |
commit |
— |
9. |
Verify your IP profile configuration. |
show flow ip profile and show flow ip profile profile-name |
Replace profile-name with the name of the RFlow profile you created in Step 2. |
This section describes how to configure access to an external collector using the default configuration described in Table 9.
Parameter |
Default |
Command Used to Modify Default Setting |
---|---|---|
ip-address |
No collector receives exported flow records from the SmartEdge router. |
ip-address |
port |
9997 |
port |
export version |
v5 |
export-version |
profile |
No profile is attached to the collector. |
ip profile |
transport-protocol |
UDP |
transport-protocol udp |
Be aware that exporting flow records can require a lot of bandwidth. We recommend directly attaching the external collector to:
Perform the tasks in Table 10 to configure access to an external collector using the default configuration. Table 10 describes the minimal tasks required to configure access to an external collector; to modify the default external collector access settings, see Modify the Default External Collector Access Configuration.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Enter context configuration mode. |
context ctx-name |
Replace the ctx-name argument with the name of the context that owns the flows that will be exported to the external collector. This is the same context you configure in the bind interface command when statically binding a port or permanent virtual circuit (PVC) to the interface whose flows you want to export. |
3. |
Enter flow collector configuration mode for an external collector. |
flow collector collector-name |
Replace the collector-name argument with the name of the external collector to which you want to export flow records. |
4. |
Enable an external collector to receive exported flow records from circuits where RFlow is enabled. |
ip-address ip-v4-address contextcontext-name |
Replace the ip-v4-address argument with the IP address for external collector, in the form A.B.C.D. Replace the context-name argument with the name of the context that hosts the IP address for accessing this collector. |
5. |
Save the configuration. |
commit |
— |
6. |
Verify your external collector configuration. |
show flow collector collector-name |
Replace collector-name with the name of the external collector you configured in Step 3. |
To modify the default configuration values for external collector access, perform the tasks described in Table 11.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Enter context configuration mode. |
context ctx-name |
Replace the ctx-name argument with the name of the context that owns the flows that will be exported to the external collector. This is the same context you configure in the bind interface command when statically binding a port or permanent virtual circuit (PVC) to the interface whose flows you want to export. |
3. |
Enter flow collector configuration mode. |
flow collector collector-name |
Replace collector-name with the name of the external collector you want to access. |
4. |
Configure a port on an external collector to listen for flow records from the SmartEdge router . |
port destination-port |
Replace the destination-port argument with a number that identifies the port on which the external collector receives exported flows. Range is from 1 through 16384. |
5. |
Specify the export format used to send flow records to the external collector. |
export-version v5 |
The export version determines the fields included in the flow record. In this release, v5 (version 5) is the only supported export version |
6. |
Attach a flow profile to the external collector. |
ip profile profile-name |
Replace the profile name argument with the name of the IP profile you want to attach to this external collector. You can add up to 10 profiles per collector. |
7. |
Configure the transport protocol for the flow records to be UDP. |
transport-protocol udp |
In this release, UDP is the only supported transport protocol for the flow records |
8. |
Save the configuration. |
commit |
— |
9. |
Verify your external collector configuration. |
show flow collector collector-name |
Replace the collector-name argument with the name of the configured external collector that you want to verify. |
To enable RFlow on a circuit, perform the tasks in Table 12.
Step # |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Enter port configuration mode for the specified port. |
port type slot/port |
Replace the type argument with the type of port on which you want to enable RFlow. Replace slot/port with the chassis slot number of the traffic card that hosts the port and the traffic card port number. |
3. |
(Optional) Enter dot1q PVC configuration mode for the specified PVC. |
dot1q pvc options |
Replace the options argument with the required syntax for the type of dot1Q PVC that you are configuring. Perform this step only if you want to enable RFlow or a dot1Q PVC. |
4. |
Attach a specified RFlow profile to a circuit. |
flow apply ip profile profile-name {in | out | both} |
Apply the profile in the desired direction by choosing one of the following keywords:
The physical circuit must be bound to an IP interface for flow accounting to work properly. |
5. |
Save the configuration. |
commit |
— |
6. |
Verify that RFlow is enabled on a circuit. |
show flow ip circuit and show flow ip circuit circuit-id |
Replace the circuit-id argument with the appropriate circuit identifier. |
To enable RFlow on a link-group circuit, perform the tasks in Table 13. For more information on link groups, refer to Configuring Link Aggregation
Step |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Enter link-group configuration mode. (Optional) Enter the economical optional keyword. |
link-group link-group-name access economical |
Replace the link-group-name argument with the link-group circuit on which you want to enable RFlow. In the economical model, the standby port will not have all the resources pre-provisioned. Instead, the resources will be allocated on the standby port when it becomes active. |
3. |
(Optional) Enter dot1q PVC configuration mode for the specified PVC. |
encapsulation dot1q |
— |
4. |
(Optional) Continue in dot1q PVC configuration mode for the specified PVC. |
dot1q pvc options |
Replace the options with the VLAN associated with the dot1Q PVC. Perform this step only if you want to enable RFlow on a dot1Q PVC. |
5. |
Attach a specified RFlow profile to a circuit. |
flow apply ip profile profile-name {in | out | both} |
Apply the profile in the required direction by choosing one of the following keywords:
The access link group circuit must be bound to an IP interface for flow accounting to work properly. |
5. |
Save the configuration. |
commit |
— |
6. |
Verify that RFlow is enabled on the access link group circuit. |
show flow ip circuit and show flow ip circuit circuit-id |
Replace the circuit-id argument with the appropriate link-group circuit identifier. |
To enable RFlow on a subscriber circuit, perform the tasks in Table 14. For more information on subscriber circuits, refer to Configuring Subscribers
Step |
Task |
Command |
Notes |
---|---|---|---|
1. |
Enter global configuration mode. |
configure |
— |
2. |
Enter context configuration mode. |
context ctx-name or context local |
Replace the ctx-name either with a named context to configure. If you want to configure the local context, specify the local keyword. Your prompt will include config-ctx. |
3. |
Enter subscriber configuration mode |
subscriber default, subscriber, subscriber-name or subscriber profile, profile-name |
Replace the subscriber-name argument with the name of individual subscriber accounts, and profile-name with a named subscriber profile. Your prompt will include config-sub. |
4. |
Attach a specified RFlow profile to a subscriber circuit. |
flow apply ip profile profile-name {in | out | both} |
Apply the profile in the required direction by choosing one of the following keywords:
The subscriber circuit must be bound to an IP interface for flow accounting to work properly. |
5. |
Save the configuration. |
commit |
— |
6. |
Verify that RFlow is enabled on a subscriber circuit. |
show subscribers active all |
The following example shows a simple RFlow configuration. Two RFlow profiles are created: p1 and p2. An external collector called c1 is configured to monitor both profiles. The profile called p1 is attached to a VLAN, and the profile called p2 is attached to a PVC. When the profiles are attached to the VLAN and PVC circuits, RFlow is enabled on those circuits.
Create an RFlow profile called p1:
[local]Redback# configure [local]Redback(config)# flow ip profile p1 [local]Redback(config-flow-ip-profile)# active-timeout 1000 [local]Redback(config-flow-ip-profile)# inactive-timeout 10 [local]Redback(config-flow-ip-profile)# aggregation-cache-size 8192
Create an RFlow profile called p2, running in the default mode:
[local]Redback# configure [local]Redback(config)# flow ip profile p2
Configure access to an external collector called c1:
[local]Redback# configure [local]Redback(config)# context rflow [local]Redback(config-ctx)# flow collector c1 [local]Redback)(config-flow-collector)# ip-address 10.12.209.7 context rflow1 [local]Redback)(config-flow-collector)# port 9997 [local]Redback)(config-flow-collector)# export-version v5 [local]Redback)(config-flow-collector)# transport-protocol udp [local]Redback)(config-flow-collector)# ip profile p1 [local]Redback)(config-flow-collector)# ip profile p2
Apply the profile p1 to the dot1q PVC 100 circuit on port 4/1:
[local]Redback# configure [local]Redback(config)# port ethernet 4/1 [local]Redback(config-port)# no shutdown [local]Redback(config-port)# encapsulation dot1q [local]Redback(config-port)# dot1q pvc 100 [local]Redback(config-dot1q-pvc)# bind interface if1_1 local [local]Redback(config-dot1q-pvc)# flow apply ip profile p1 in
Apply the profile p2 to dot1q PVC 100:
[local]Redback# configure [local]Redback(config)# port ethernet 4/1 [local]Redback(config)# dot1q pvc 100 [local]Redback(config-dot1q-pvc)# encapsulation 1qtunnel [local]Redback(config-dot1q-pvc)# bind interface if1_2 local [local]Redback(config-dot1q-pvc)# flow apply ip profile p2 out
Apply the profile p1 to an access link group circuit called lg1:
[local]Redback# configure [local]Redback(config)# link-group lg1 access economical [local]Redback(config-link-group)# no shutdown [local]Redback(config-link-group)# encapsulation dot1q [local]Redback(config-link-group)# bind interface if1_1 local [local]Redback(config-link-group)# flow apply ip profile p1 in
Apply the profile p2 to a link-group level-2 circuit:
[local]Redback# configure [local]Redback(config)# link-group lg2 access economical [local]Redback(config-link-group)# encapsulation dot1q [local]Redback(config-link-group)# dot1q pvc 100 [local]Redback(config-dot1q-pvc)# bind interface if1_2 local [local]Redback(config-dot1q-pvc)# flow apply ip profile p2 out
Defining an application list and specifying an application list name called app-list1. Defining an application name and the protocol ID and port number for TCP.
[local]Redback# configure [local]Redback(config)# flow ip application-list app-list1 [local]Redback(config-flow-ip-app-list)# application app1 [local]Redback(config-flow-ip-app)# protocol tcp port 25
Defining global sampling packet interval and indicating a packet interval of 100:
[local]Redback# configure [local]Redback(config)# flow ip sampling [local]Redback(config-flow-ip-sampling)# packet-interval 100
Enabling an application list and sampling for the profile p1:
[local]Redback# configure [local]Redback(config)# flow ip profile p1 [local]Redback(config-flow-ip-profile)# application-list [local]Redback(config-flow-ip-profile)# sampling