Sub-Interface throughput doesn't add up to Physical Interface throughput (SNMP monitoring)

27837

Created On 02/28/19 07:47 AM - Last Modified 04/18/19 23:03 PM

SNMP

Network Integration

8.1

8.0

7.1

9.0

PAN-OS

Symptom

SNMP monitoring enabled for physical and logical (sub-interface).
Sum of throughput of sub-interface doesn't add up to the throughput of actual physical interface.

For hardware/physical interfaces (example: ethernet1/2), firewall populates "Physical port counters read from MAC" in the SNMP MIB. These are MAC counters at the physical interface level and SNMP monitoring reads from them to display statistics for a physical interface.
For logical interfaces (example: VLAN , sub-interfaces (eth1/2.100 and eth1/2.200)), firewall only populates "Logical interface counters read from CPU" in the SNMP MIB. These are counters at CPU level (and not the actual physical interface). SNMP monitoring reads from them to display statistics for the logical interface.

Due to hardware offloading, many packets do not reach CPU and as such there will be a difference in counters/throughput between a physical and logical interface.

This causes the combined throughput of logical interfaces not to match the interface throughput. For ex: the throughput for eth1/2.100 and eth1/2.200 may not add up to eth1/2 stats.

Note:
Aggregate interface is created by either combining physical or logical interface. The above explanation still applies to them. If it is made by combining physical ports, Both "Physical port counters read from MAC" and "logical interface counters read from CPU" are available here whereas aggregate sub-interface (logical interface), only has "Logical interface counters read from CPU".

ae 1 members:
ethernet1/5 ethernet1/6

This is as per design. If you have sub interfaces configured and using snmp to monitor the throughput, the sum throughput of sub-interfaces doesn't add up to the throughput of actual physical interface.