sFlow monitors traffic in a data network. Use sFlow to monitor routers and switches in the network, and capture traffic statistics about those devices. sFlow uses sampling to provide scalability for network-wide monitoring, and therefore applies to high speed networks. The switch sends the sampled data as a User Datagram Protocol (UDP) packet to the specified host and port.
Note
sFlow and Application Telemetry send mirrored packets from a common source to a common destination. sFlow sends samples directly to the destination, while Application Telemetry sends mirrored packets through a GRE tunnel, to the same destination. For more information, see Common Elements Between sFlow and Application Telemetry.
sFlow consists of the following:
sFlow agent—Performs two types of sampling:
Flow samples: Flow sampling randomly samples an average of 1 out of n packets for each operation.
Counter samples: Counter sampling periodically polls and exports counters for a configured interface. This type of sampling uses a counter to determine if the packet is sampled. Each packet that an interface receives, and that a filter does not drop, reduces the counter by one. After the counter reaches zero, the sFlow agent takes a sample.
Note
Only generic interface counters and Ethernet interface counters are supported.
sFlow datagrams—Supports both flow samples and counter samples. Datagrams can be sent from the front panel port or an out-of-band (OOB) port. Each datagram provides information about the sFlow version, the originating IP address of the device, a sequence number, the number of samples it contains, and one or more flow and/or counter samples.
sFlow collector—Located on a central server and runs software that analyzes and reports on network traffic. Two sFlow collectors can be configured to be reachable over a management network or Shortest Path Bridging (SPB).
The following section describes operational considerations for deploying sFlow.
Application-specific integrated circuit (ASIC) or Software Development Kit (SDK) limitation—To avoid wobbling, the counter interval for sFlow is 20 seconds. Minor wobbling can still occur even after configuring the counter interval due to the interaction between the sFlow agent counter export schedule and the frequency with which the switch ASIC SDK copies and caches counters from the ASIC.
sFlow supports a maximum of two collectors.
UDP datagram size and the collector buffer are restricted to 1400 bytes. sFlow sends datagrams to the collector when the buffer reaches the 1400–byte capacity or after a timeout of one second is triggered. The collector buffer size cannot be modified.
The switch supports IPv4 collector IP addresses.
VLAN counters/statistics are not supported.
sFlow can be enabled only on the front panel ports.
You cannot configure the sampling limit. The sampling limit applies system-wide rather than on a per port basis. Sampling rates differ depending on the hardware platform so any sampled packets beyond the limit are dropped. For more information about feature support, see VOSS Release Notes.
The switch supports only ingress sampling. The switch does not support egress sampling.
The switch does not support enabling sFlow on a link aggregation group (LAG) interface. However, you can enable sFlow on the member interfaces of a LAG.
When you specify the sFlow source IP as the Segmented Management Instance OOB instance, the Management Instance OOB routing table determines reachability to the collector.
When you specify the sFlow source IP as the Segmented Management Instance VLAN instance, the Management Instance VLAN routing table determines reachability to the collector.
When you specify the sFlow source IP as the Segmented Management Instance CLIP instance, the VRF associated with the Management Instance CLIP checks reachability to the collector, including GRT, VRFs or Layer 3 VSNs.
When you specify the sFlow source IP as a routing VLAN or loopback IP, only the GRT checks reachability to the collector. User-defined VRFs or Layer 3 VSNs are not supported for this option.
For Segmented Management Instance interfaces, both collectors must be reachable through the Management Instance interface bound to the sFlow source IP. Configurations where one sFlow collector is a Management Instance OOB interface and the other sFlow collector is on an in-band interface are not supported.
You must use Segmented Management Instance CLIP to access VRFs and Layer 3 VSNs.
sFlow supports user created VRFs when Segmented Management Instance CLIP interface IP address is used as the sFlow source IP.
You can use the onboarding VLAN to manage the switch and enable sFlow without any additional management or routing interface configuration.
A packet can have only one mirror destination. You cannot configure sFlow and Port Mirroring on the same port.
Note
This restriction applies to the VSP 8600 Series only. Other platforms mirror copies to both destinations.
The following section describes configuration considerations for sFlow.
If the sFlow collector has two network interface controller (NIC) cards, add a route to the agent IP address for the NIC card on which the sFlow datagrams are received to avoid dropped sFlow datagrams due to reverse path checks.
After you configure the sFlow agent on the network device that you want to monitor, the system collects flow samples or counter samples, and exports these traffic statistics as sFlow datagrams to the sFlow collector on a server or appliance.
For example, after the buffers reach capacity or a timeout is triggered, an sFlow datagram, which is a UDP packet, sends the measurement information to the sFlow collector buffers. The UDP payload contains the sFlow datagram.
The following figure shows the sFlow agent on various routers and switches with sFlow datagrams being sent to the sFlow collector.
Number |
Description |
---|---|
1 |
sFlow collector |
2 |
sFlow datagrams |
3 |
sFlow agents |
As a general rule, drop action occurs after sampling completes. However, in situations related to Layer 1 errors such as, MTU exceeded packets, the drop action occurs before sampling begins. For errors such as, frame too long, packets are dropped due to the size of the frame being greater than the interface MTU. In this situation, the packets are dropped before sampling begins so only counter polling occurs. To enable trace, use line-card 1 trace level 232 <0–4>.
Important
The defined sampling rate, an average of 1 out of n packets/operations does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.