2.12.2 Configuration recommendations

2.12.2.1 Sampling Rate #

For better and more accurate anomaly detection, it’s strongly recommended to not sample the Flow records. However, if your network router is experiencing high CPU usage, you can enable sampling rate on the router interfaces. Example of the configuration on Cisco devices:

Listing 2.56: Cisco NetFlow Sampling Rate configuration

interface GigabitEthernet0/1
 ip flow monitor FLOW-MONITOR input
 ip flow monitor FLOW-MONITOR output
 ip flow ingress sampling mode random 1 out-of 10
 ip flow egress sampling mode random 1 out-of 10

The above command will send 1 random packet out of 10 flow records to the flow collector.

2.12.2.2 Exporting TCP flags #

To achieve better accuracy in detecting TCP attacks like SYN and ACK, it’s recommended that the option of exporting the TCP flags as key fields in the flow records is enabled. This will allow the application to provide more precise detection of the TCP anomalies. Otherwise, if your router does not support such options, IRP can sum the flow records that contain TCP flags and provide analysis based on this option.
Please refer to the collector.flow.nf.tcp_flags
Example of the configuration on Cisco and Juniper devices:

Listing 2.57: Exporting TCP flags as flow keys

Cisco:
flow record FLOW-RECORD
match ipv4 source address
match ipv4 destination address
match ip protocol
match transport tcp flags
collect transport source-port
collect transport destination-port

Juniper:
set services flow-monitoring version9 template FLOW-RECORD flow-key ipv4-source-address
set services flow-monitoring version9 template FLOW-RECORD flow-key ipv4-destination-address
set services flow-monitoring version9 template FLOW-RECORD flow-key protocol
set services flow-monitoring version9 template FLOW-RECORD flow-key source-port
set services flow-monitoring version9 template FLOW-RECORD flow-key destination-port
set services flow-monitoring version9 template FLOW-RECORD flow-key tcp-flags

Updated on Dec 9, 2025

IRP Resources

White Papers

Discover IRP features, review use cases and make informed decisions

Case Studies

Case studies and success stories to help in the decision-making process

Videos

Watch Noction IRP videos, screencasts and client testimonials

Manuals

Technical Noction IRP documentation, deployment instructions and datasheets

Tier 1 Reports

Get a first-hand network performance view of the major Tier 1 Carriers

IRP FAQ

See answers to the questions we get asked the most about Noction IRP

NFA Resources

NFA Documentation

Product overview, user guide and the deployment instructions documents

Tips and Tricks

Practical and useful info on NFA and the overall NetFlow analysis

NFA FAQ

A series of the most common NFA questions and answers

Guides & eBooks

View All Guides

IRP Documentation

2.12.2 Configuration recommendations

2.12.2.1 Sampling Rate #

2.12.2.2 Exporting TCP flags #

+1-650-618-9823

sales@noction.com

Campbell, CA 95008, USA

Company News

Blog

About Us

Press Releases

Careers

Support

Noction Releases Free IRP Lite v4.2.9 with GMI, Threat Mitigation, and Expanded OS Support

Noction IRP Quote

NFA Pricing

IRP Resources

White Papers

Case Studies

Videos

Manuals

Tier 1 Reports

IRP FAQ

NFA Resources

NFA Documentation

Tips and Tricks

NFA FAQ

Guides & eBooks

NOC as a Service

IP Transit Providers Assessment

Tier 1s Performance Dashboard

Tier 1 Carriers Report - November 2025

Noction IRP

Noction IRP Lite

Noction Flow Analyzer