sFlow monitors traffic in a data network. Use sFlow to monitor routers and switches in the network, and capture traffic statistics about those devices. sFlow uses sampling to provide scalability for network-wide monitoring, and therefore applies to high speed networks. The switch sends the sampled data as a User Datagram Protocol (UDP) packet to the specified host and port.
Note
sFlow and Application Telemetry send mirrored packets from a common source to a common destination. sFlow sends samples directly to the destination, while Application Telemetry sends mirrored packets through a GRE tunnel, to the same destination. For more information, see Common Elements Between sFlow and Application Telemetry.
sFlow consists of the following:
sFlow agent—Performs two types of sampling:
Flow samples: Flow sampling randomly samples an average of 1 out of n packets for each operation.
Counter samples: Counter sampling periodically polls and exports counters for a configured interface. This type of sampling uses a counter to determine if the packet is sampled. Each packet that an interface receives, and that a filter does not drop, reduces the counter by one. After the counter reaches zero, the sFlow agent takes a sample.
Note
Only generic interface counters and Ethernet interface counters are supported.
sFlow datagrams—Supports both flow samples and counter samples. Datagrams can be sent from the front panel port or an out-of-band (OOB) port. Each datagram provides information about the sFlow version, the originating IP address of the device, a sequence number, the number of samples it contains, and one or more flow and/or counter samples.
sFlow collector—Located on a central server and runs software that analyzes and reports on network traffic. Two sFlow collectors can be configured to be reachable over a management network or Shortest Path Bridging (SPB). The preferred network is SPB.
Application-specific integrated circuit (ASIC) or Software Development Kit (SDK) limitation—To avoid wobbling, the counter interval for sFlow is 20 seconds. Minor wobbling can still occur even after configuring the counter interval due to the interaction between the sFlow agent counter export schedule and the frequency with which the switch ASIC SDK copies and caches counters from the ASIC.
sFlow supports a maximum of two collectors.
UDP datagram size and the collector buffer are restricted to 1400 bytes. sFlow sends datagrams to the collector when the buffer reaches the 1400–byte capacity or after a timeout of one second is triggered. The collector buffer size cannot be modified.
The switch supports IPv4 collector IP addresses.
VLAN counters/statistics are not supported.
sFlow can be enabled only on the front panel ports.
You cannot configure the sampling limit. The sampling limit applies system-wide rather than on a per port basis. Sampling rates differ depending on the hardware platform so any sampled packets beyond the limit are dropped. For more information about feature support, see VSP 8600 Release Notes.
The switch supports only ingress sampling. The switch does not support egress sampling.
The switch does not support enabling sFlow on a link aggregation group (LAG) interface. However, you can enable sFlow on the member interfaces of a LAG.
The sFlow collector can be reachable through the Management VRF, the Global Routing Table (GRT) or if your switch supports doing so, through a user created VRF (virtual routing and forwarding). If the sFlow collector is hosted in either the GRT or a user created VRF, SPB reachability only supports using Layer 2 VSN or IP shortcuts to access the collector. Layer 3 VSNs are not supported in accessing the collector when it is hosted in the GRT or a User created VRF.
Note
This restriction applies to the VSP 8600 only. Other platforms mirror copies to both destinations.
A packet can have only one mirror destination so you cannot configure sFlow and Port Mirroring on the same port.
For Segmented Management Instance interfaces, sFlow is only supported on Segmented Management Instance OOB and on circuitless IP (CLIP) in GRT.
If the sFlow collector has two network interface controller (NIC) cards, to avoid dropped sFlow datagrams that are a result of reverse path checks, you can add a route to the agent-ip address for the NIC card on which the sFlow datagrams are received.
First preference is always given to either the GRT or management VRF to where the sFlow agent IP address is configured. For example, if you configure the sFlow agent IP address as part of GRT, the GRT route to the collector is given preference over the management VRF. If the management network hosts a collector with a collector IP address that is reachable over SPB as a result of redistributing direct routes on a peer Backbone Edge Bridge (BEB) or in situations where the GRT has a default route (0.0.0.0) and the collector route is in the local management VRF, first preference is given to the VRF where you have configured the sFlow agent IP address.
For Segmented Management Instance interfaces, preference for sFlow collector reachability checks is determined by agent-ip configuration. If you configure the sFlow agent IP address to Segmented Management Instance OOB, preference for route lookup is given to the management VRF. If no route is found, lookup occurs in GRT.
If you do not configure the agent-ip address to Segmented Management Instance OOB, preference for route lookup is given to GRT. If no route is found, lookup occurs in the management VRF.
After you configure the sFlow agent on the network device that you want to monitor, the system collects flow samples or counter samples, and exports these traffic statistics as sFlow datagrams to the sFlow collector on a server or appliance.
For example, after the buffers reach capacity or a timeout is triggered, an sFlow datagram, which is a UDP packet, sends the measurement information to the sFlow collector buffers. The UDP payload contains the sFlow datagram.
The following figure shows the sFlow agent on various routers and switches with sFlow datagrams being sent to the sFlow collector.
Number |
Description |
---|---|
1 |
sFlow collector |
2 |
sFlow datagrams |
3 |
sFlow agents |
As a general rule, drop action occurs after sampling completes. However, in situations related to Layer 1 errors such as, MTU exceeded packets, the drop action occurs before sampling begins. For errors such as, frame too long, packets are dropped due to the size of the frame being greater than the interface MTU. In this situation, the packets are dropped before sampling begins so only counter polling occurs. To enable trace, use line-card 1 trace level 232 <0–4>.
Important
The defined sampling rate, an average of 1 out of n packets/operations does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.