No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Network Management and Monitoring

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, NETCONF, OpenFlow, LLDP, NQA, Mirroring, Packet Capture, Packet Trace, Path and Connectivity Detection Configuration, NetStream, sFlow, and iPCA.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for sFlow

Licensing Requirements and Limitations for sFlow

Involved Network Elements

The switch needs to work with an sFlow server.

Licensing Requirements

sFlow is a basic feature of CE8800, CE7800, CE6800, and CE5800 series switches and is not under license control.

Version Requirements

Table 15-3 Products and minimum version supporting sFlow

Product Model

Minimum Version Required

CE8868EI/CE8861EI

V200R005C10

CE8860EI

V100R006C00

CE8850-32CQ-EI

V200R002C50

CE8850-64CQ-EI

V200R005C00

CE7850EI

V100R003C00

CE7855EI

V200R001C00

CE6810EI

V100R003C00

CE6810-48S4Q-LI/CE6810-48S-LI

V100R003C10

CE6810-32T16S4Q-LI/CE6810-24S2Q-LI

V100R005C10

CE6850EI

V100R002C00

CE6850-48S6Q-HI

V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/CE6851HI

V100R005C10

CE6855HI

V200R001C00

CE6855HI

V200R001C00

CE6857EI

V200R005C10

CE6870-24S6CQ-EI/CE6870-48S6CQ-EI

V200R001C00

CE6860EI/CE6856HI/CE6870-48T6CQ-EI

V200R002C50

CE6875EI

V200R003C00

CE6865EI

V200R005C00

CE5810EI

V100R002C00

CE5850EI

V100R002C00

CE5850HI

V100R003C00

CE5855EI

V100R006C00

Feature Limitations

Restrictions of using sFlow with other features

Table 15-4 Restrictions of using sFlow with other features

Feature

Use Precautions

NetStream

sFlow and NetStream cannot be configured on the same device.

Mirroring

  • On the CE6875EI or CE6870EI:
    • When inbound flow sampling is configured to use snoop resources, port mirroring and inbound flow sampling can be configured on the same interface, and inbound port mirroring and outbound flow sampling can also be configured on the same interface. Outbound flow sampling conflicts with outbound MQC-based traffic mirroring and outbound VLAN mirroring. After outbound flow sampling is configured on an interface, do not configure any outbound MQC-based traffic mirroring or outbound VLAN mirroring to contain this interface. If the outbound flow sampling and outbound mirroring functions (outbound MQC-based traffic mirroring or outbound VLAN mirroring) are configured on the same interface, they cannot take effect simultaneously.
    • When inbound flow sampling is not configured to use snoop resources, port mirroring and flow sampling cannot be configured on the same interface, and flow sampling conflicts with MQC-based traffic mirroring, simplified traffic mirroring, and VLAN mirroring. After flow sampling is configured on an interface, do not configure any MQC-based traffic mirroring, simplified traffic mirroring, or VLAN mirroring to contain this interface. If the flow sampling and mirroring functions (MQC-based traffic mirroring, simplified traffic mirroring, or VLAN mirroring) are configured on the same interface, they cannot take effect simultaneously.
  • On other models:
    • Flow sampling conflicts with port mirroring, and they cannot be configured on the same interface. Flow sampling conflicts with MQC-based traffic mirroring, simplified traffic mirroring, and VLAN mirroring. After flow sampling is configured on an interface, do not configure any MQC-based traffic mirroring, simplified traffic mirroring, or VLAN mirroring to contain this interface. If the flow sampling and mirroring functions (MQC-based traffic mirroring, simplified traffic mirroring, or VLAN mirroring) are configured on the same interface, they cannot take effect simultaneously.
    • Mirrored packets cannot be sampled.

TRILL

sFlow cannot sample TRILL packets.

MPLS

sFlow cannot sample IP packets encapsulated in MPLS packets.

Multicast

CE switches, except CE6875EI and CE6870EI, do not support sampling for IPv6 multicast packets.

VLAN

In V200R003C00 and earlier versions, the CE8860EI, CE8850EI, CE6875EI, CE6870EI, and CE5810EI perform sFlow sampling for packets discarded in VLAN check. In V200R005C00 and later versions, CE8800, CE7800, CE6800, and CE5800 series switches perform sFlow sampling for packets discarded in VLAN check.

VXLAN

sFlow cannot sample inner tag information of VXLAN packets.

When sFlow sampling is performed on the outbound interfaces of a switch, except CE6875EI and CE6870EI, that performs VXLAN encapsulation, VXLAN packets cannot be sampled. When sFlow sampling is performed on the outbound interfaces of a switch that performs VXLAN decapsulation, the packets before decapsulation are sampled and both the source and destination MAC addresses are all 0s.

BFD

In V200R003C00 and later versions, after sFlow sampling is configured on the CE8868EI, CE8861EI, CE8850-64CQ-EI, CE6875EI, CE6857EI, or CE6865EI, BFD packets sampled by sFlow cannot be exported.

VPN

  • When sFlow sampling is configured for outbound Layer 3 traffic between VPNs, routing information cannot be collected.
  • When a main interface and its Layer 3 sub-interfaces are in different VPNs and sFlow is configured on the main interface, the traffic passing through the Layer 3 sub-interface can be sampled. Routing information about the main interface is collected, but routing information about the Layer 3 interface is not collected.

VPLS

VPLS packets cannot be sampled.

QoS

sFlow sampling is on the basis of original packets. After the forwarding behavior is modified (for example, policy routing is applied) or information about the packets to be forwarded is modified (for example, ACL or QoS is applied), the modification cannot be shown in the sFlow statistics.

Switches except CE6875EI and CE6870EI sample outgoing packets even if the packets are discarded by CAR, traffic shaping, or Deny action.

Local attack defense

  • On the CE6875EI, flow sampling can be performed in enhanced mode. In this mode, sampled packets are not sent to the CPU for processing.
  • On a CE switch except CE6875EI, since V200R001C00, the switch sends sampled packets to the CPU for processing. When the CPU usage of the device exceeds 65%, the switch decreases the CAR value of sampled packets sent to the CPU to 1000 pps. As a result, some sampled packets to be sent to the CPU are discarded, decreasing the flow sampling ratio. When the CPU usage falls below 65%, the switch increases the CAR value of sampled packets by 500 pps every 20 seconds until the CAR value is restored to the original setting.

ARP security

On a CE switch, except CE6875EI and CE6870EI, if both sFlow and interface-based ARP rate limiting are configured, interface-based ARP rate limiting is inaccurate. The maximum number of ARP packets sent from interfaces to the CPU is the ARP rate limit plus the number of ARP packets sampled by sFlow.

Stack

Do not configure sFlow on an inter-chassis Eth-Trunk of a stack. If you configure sFlow on an inter-chassis Eth-Trunk, the statistics collection result of the sFlow Collector will be inaccurate.

After sFlow sampling is configured in the outbound direction of a physical interface, Eth-Trunk, or Eth-Trunk member interface, the traffic on Layer 3 or Layer 2 sub-interfaces can be sampled when the traffic passes two or more member switches. The physical interface or Eth-Trunk indexes are filled in the sampled packets, and the routing information on Layer 3 or Layer 2 sub-interfaces cannot be sampled.

SVF consisting only fixed switches

  • Do not configure sFlow on an inter-leaf Eth-Trunk. If you configure sFlow on an inter-leaf Eth-Trunk, the statistics collection result of the sFlow Collector will be inaccurate.
  • In V100R006C00 and earlier versions, when working in hybrid or centralized forwarding mode, a leaf switch does not support sFlow. If sFlow has been configured on a leaf switch, the leaf switch cannot switch from distributed forwarding mode to hybrid or centralized forwarding mode. If you want to change the forwarding mode on a leaf switch, delete the sFlow configuration on the leaf switch first.
  • In V200R001C00 and later versions, when working in hybrid or centralized forwarding mode, a leaf switch supports sFlow only in the inbound direction of a physical interface, Eth-Trunk, or Eth-Trunk member interface, and does not support sFlow in the inbound direction of Layer 2 or Layer 3 sub-interfaces. sFlow configured in the inbound direction of a physical interface, Eth-Trunk, or Eth-Trunk member interface can sample traffic on Layer 3 or Layer 2 sub-interfaces. If sFlow has been configured in the outbound direction of a leaf switch, the leaf switch cannot change from distributed forwarding mode to hybrid or centralized forwarding mode. If you want to change the forwarding mode on a leaf switch, delete the sFlow configuration on the leaf switch first.

  • In hybrid forwarding mode, leaf switches perform sFlow sampling on the traffic forwarded between them, but cannot collect routing information. In centralized forwarding mode, a leaf switch performs sFlow sampling, but cannot collect routing information of packets.

  • A CE5855EI supports sFlow IPv6 when functioning as a leaf switch.

sFlow use restrictions

Common use restrictions:
  • The maximum rate of sFlow packets sent by the CE8800, CE7800, CE6800, and CE5850EI is 2000 pps and by the CE5850HI, CE5810EI, and CE5855EI is 250 pps. The maximum rate of sFlow packets sent by an SVF system consisting only fixed switches or a stack is 5000 pps.

  • In the sFlow sampling service, there may be a difference of 5% or lower between collected statistics and actual traffic statistics.

  • When sFlow sampling ratio is set to a small value, many sampled packets will be sent to the CPU, causing a high CPU usage and affecting the other services. If the CPU is overloaded, sampled packets are discarded.

  • The source VLAN information is not recorded in outbound sFlow sampling. In packet statistics, the source VLAN information is recorded as 0. The destination VLAN information is not recorded in inbound sFlow sampling. In packet statistics, the destination VLAN information is recorded as 0.

  • When sampling Layer 3 packets, the switch needs to look up the routing table, causing a high CPU usage.

  • An sFlow sampling ratio in V200R001C00SPC100 that is less than 4096 is automatically set to 4096 after the version is upgraded or downgraded.

  • When counter sampling is configured on a Layer 2 sub-interface, sampling statistics are the same as the statistics collected on the main interface.

  • The switch cannot forward sFlow packets after VXLAN or MPLS encapsulation. Therefore, do not send sFlow packets to the collector through a VXLAN or MPLS tunnel when sFlow sampling is configured.

Restrictions on the CE6870EI:
  • When sFlow counter sampling is configured, the switch does not count the number of discarded packets in Output traffic statistics on interfaces.

  • When a switch samples outgoing packets, the inbound interface is recorded as an invalid interface.

  • In V200R003C00 and earlier versions, when sFlow sampling is configured in the inbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch cannot sample packets on Layer 3 or Layer 2 sub-interfaces. When sFlow sampling is configured in the outbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected.

  • In V200R005C00 and later versions, when sFlow sampling is configured on a physical interface, an Eth-Trunk, or an Eth-Trunk physical member interface, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected.

  • When sFlow sampling is configured for incoming multicast, broadcast, and unknown unicast packets, the packet statistics do not contain outbound interface information. When sFlow sampling is configured for incoming known unicast packets, the following events occur:
    • If the outbound interface is a Layer 3 main interface, the packet statistics contain outbound interface information.
    • If the outbound interface is a Layer 3 sub-interface, the packet statistics are about the Layer 3 main interface corresponding to this sub-interface.
    • If the outbound interface is an interface of other types, the packet statistics do not contain outbound interface information.
  • The following services are in descending order of priority: M-LAG unidirectional isolation, MQC (traffic policing, traffic statistics collection, and packet filtering), querying the outbound interface of packets with specified 5-tuple information, source MAC address, and destination MAC address, local VLAN mirroring, sFlow, NetStream, and VLANIF interface statistics collection. When the services are configured on an interface in the outbound direction, only the service with the highest priority takes effect. For example, when both packet filtering and VLANIF interface statistics collection are configured on a VLANIF interface, packet filtering takes effect.

    For sFlow and NetStream, the preceding limitations apply only to Layer 2 sub-interfaces and Layer 3 sub-interfaces.

  • Configuring outbound sFlow sampling is not recommended because it will lower the forwarding capability of the switch.

Restrictions on the CE6875EI:
  • When sFlow counter sampling is configured, the switch does not count the number of discarded packets in Output traffic statistics on interfaces.

  • When a switch samples outgoing packets, the inbound interface is recorded as an invalid interface.

  • The following services are in descending order of priority: M-LAG unidirectional isolation, MQC (traffic policing, traffic statistics collection, and packet filtering), querying the outbound interface of packets with specified 5-tuple information, source MAC address, and destination MAC address, local VLAN mirroring, sFlow, NetStream, and VLANIF interface statistics collection. When the services are configured on an interface in the outbound direction, only the service with the highest priority takes effect. For example, when both packet filtering and VLANIF interface statistics collection are configured on a VLANIF interface, packet filtering takes effect.

    For sFlow and NetStream, the preceding limitations apply only to Layer 2 sub-interfaces and Layer 3 sub-interfaces.

  • Configuring outbound sFlow sampling is not recommended because it will lower the forwarding capability of the switch.

  • Restrictions in non-enhanced mode:

    • In V200R003C00, when sFlow sampling is configured in the inbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch cannot sample packets on Layer 3 or Layer 2 sub-interfaces. When sFlow sampling is configured in the outbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected.

    • In V200R005C00 and later versions, when sFlow sampling is configured on a physical interface, an Eth-Trunk, or an Eth-Trunk physical member interface, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected.

    • When sFlow sampling is configured for incoming multicast, broadcast, and unknown unicast packets, the packet statistics do not contain outbound interface information. When sFlow sampling is configured for incoming known unicast packets, the following events occur:
      • If the outbound interface is a Layer 3 main interface, the packet statistics contain outbound interface information.
      • If the outbound interface is a Layer 3 sub-interface, the packet statistics are about the Layer 3 main interface corresponding to this sub-interface.
      • If the outbound interface is an interface of other types, the packet statistics do not contain outbound interface information.
  • Restrictions in enhanced mode:

    • The switch cannot send sFlow packets through the management interface.
    • The exported sFlow packets do not carry IPv6 routing information.
    • When sFlow sampling is configured on a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk.
    • When inbound flow sampling is configured on an interface, only the inbound interface information is displayed in the statistics. When outbound flow sampling is configured on an interface, only the outbound interface information is displayed in the statistics.

    • In a fast stack upgrade or downgrade scenario, when a stack is downgraded from V200R005C00 or a later version to V200R003C00, interfaces on the standby device enter the Error-Down state.

Use restrictions for CE switches except CE6870EI and CE6875EI:
  • sFlow cannot sample protocol packets to be sent the CPU.

  • CE5855EI does not support sFlow IPv6 function.
  • When a CE6810LI functions as an sFlow agent, the sFlow agent cannot select the IP address of the outbound interface of the route to the Collector as its own IP address. To set this IP address as the sFlow agent's IP address, you must manually configure it. If you do not manually configure it, the Agent IP field will be incorrect.

  • When sFlow sampling is configured for outgoing packets and the inbound interface is a Layer 3 or Layer 2 sub-interface, the inbound interface recorded in statistics packets is the main interface corresponding to this Layer 3 or Layer 2 sub-interface.
  • In V200R003C00 and earlier versions, when sFlow sampling is configured on a physical interface, an Eth-Trunk, or an Eth-Trunk member interface of a switch except the CE5810-48T4S-EI, the switch cannot sample packets on Layer 3 or Layer 2 sub-interfaces.

  • When sFlow sampling is configured for incoming multicast, broadcast, and unknown unicast packets, the packet statistics do not contain outbound interface information. When sFlow sampling is configured for incoming known unicast packets, the packet statistics contain outbound interface information. If the outbound interface is a Layer 3 or Layer 2 sub-interface, the packet statistics are about the main interface corresponding to this Layer 3 or Layer 2 sub-interface.
  • In V200R005C00 and later versions, when sFlow sampling is configured in the inbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk physical member interface of a CE switch except the CE5810-48T4S-EI, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces. When sFlow sampling is configured in the outbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk physical member interface of a CE switch except the CE5810-48T4S-EI, the switch can sample packets on Layer 3 sub-interfaces but cannot sample packets on Layer 2 sub-interface. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected.

  • In V200R003C00 and earlier versions, when sFlow sampling is configured in the inbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk member interface of the CE5810-48T4S-EI, the switch cannot sample packets on Layer 3 and Layer 2 sub-interfaces. When sFlow is configured in the outbound direction of a physical interface, an Eth-Trunk, or an Eth-Trunk member interface of the CE5810-48T4S-EI, the switch can sample inter-chip traffic only on Layer 3 sub-interfaces, not Layer 2 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected. The interfaces GE1-24 and 10GE1-2 are on the same chip, and the interfaces GE25-48 and 10GE3-4 are on the same chip.

  • On the CE5810-48T4S-EI running V200R005C00 or a later version, when inbound sFlow sampling is configured on a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch can sample packets on Layer 3 and Layer 2 sub-interfaces; when outbound sFlow sampling is configured on a physical interface, an Eth-Trunk, or an Eth-Trunk member interface, the switch can sample packets only on Layer 3 sub-interfaces. The interface index in the sampled packets is the index of the physical interface or Eth-Trunk, and the routing information on Layer 3 and Layer 2 sub-interfaces cannot be collected.
  • After sFlow sampling is configured in the outbound direction of a physical interface, Eth-Trunk, or Eth-Trunk physical member interface, if the inbound interface of packets is a Layer 3 or Layer 2 sub-interface, the inbound interface index in sampled packets is the index of the physical interface or Eth-Trunk corresponding to this Layer 3 or Layer 2 sub-interface.

  • After sFlow sampling is configured in the outbound direction, packets forwarded at Layer 3 can be sampled, and the original Layer 2 header information in packets is collected.

Restrictions on the use of NetStream, sFlow, and port mirroring on Eth-Trunk and its Layer 3 sub-interfaces, Layer 2 sub-interfaces, and member interfaces

Table 15-5 Restrictions on the use of sFlow, NetStream, and port mirroring on Eth-Trunk and its Layer 3 sub-interfaces, Layer 2 sub-interfaces, and member interfaces

Interface with sFlow Configured

Eth-Trunk

Layer 3 Sub-interface

Layer 2 Sub-interface

Member Interface

Eth-Trunk

  • NetStream: N
  • Port mirroring: N
  • sFlow: N
  • NetStream: N
  • Port mirroring: N
  • sFlow: Y
  • NetStream: N
  • Port mirroring: N
  • sFlow: N
  • NetStream: N
  • Port mirroring: N

Layer 2 sub-interface of an Eth-Trunk

  • sFlow: Y
  • NetStream: N
  • Port mirroring: N
  • sFlow: N
  • NetStream: N
  • Port mirroring: N
  • NetStream: N
  • Port mirroring: N
  • sFlow: N
  • NetStream: N
  • Port mirroring: N

Member interface of an Eth-Trunk

  • sFlow: N
  • NetStream: N
  • Port mirroring: N
  • sFlow: N
  • NetStream: N
  • Port mirroring: N
  • sFlow: N
  • NetStream: N
  • Port mirroring: N
  • NetStream: N
  • sFlow and port mirroring cannot be configured together on the same interface.

N: indicates that this function cannot be configured. Y: indicates that this function can be configured.

Since V100R005C00, sFlow can be configured on Eth-Trunk member interfaces.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100075365

Views: 41686

Downloads: 129

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next