SupportDocumentationRoutersService RoutersNetEngine 8000Configuration & CommissioningConfiguration Guide

NetEngine 8000 M14K, M14, M8K, M8, M4, 8000E M14 M8, 8100 M14 M8 V800R022C00SPC600 Configuration Guide

sFlow Configuration

sFlow Configuration

sFlow Description

Overview of sFlow

Definition

Sampled Flow (sFlow) is a traffic monitoring technology that collects and analyzes traffic statistics based on packet sampling.

Purpose

Enterprise networks are generally smaller and more flexible than carrier networks. However, they are often prone to attacks and service exceptions. To help ensure network stability, enterprises require a traffic monitoring technique that can promptly identify traffic anomalies and the source of attack traffic, allowing them to quickly rectify faults.

sFlow is developed to meet the preceding requirement. sFlow is an interface-based traffic analysis technique that collects packets on an interface based on the sampling rate. In flow sampling, an sFlow agent analyzes the packets including the packet content and forwarding rule, and encapsulates the original packets and parsing result into sFlow packets. The sFlow agent then sends the sFlow packets to an sFlow collector. In counter sampling, an sFlow agent periodically collects traffic statistics on an interface, CPU usage, and memory usage.

sFlow focuses on traffic on an interface, traffic forwarding, and device running. Therefore, sFlow can be used to monitor and diagnose network exceptions. The sFlow collector displays traffic statistics in a report, facilitating preventive maintenance on enterprise networks, especially for enterprises that do not have specialized network administrators.

Currently, devices support only flow sampling.

Benefits

sFlow is comparable to NetStream. In NetStream, network devices collect and analyze traffic statistics. The devices save these statistics to a buffer and export them when they expire or when the buffer overflows. sFlow does not require a flow table. In sFlow, network devices only sample packets, and a remote collector collects and analyzes traffic statistics.

sFlow has the following advantages over NetStream:

  • Fewer resources and lower costs. sFlow requires no flow table and uses only a small number of network devices, lowering costs.
  • Flexible collector deployment. The collector can be deployed flexibly, enabling traffic statistics to be collected and analyzed according to various traffic characteristics.

Understanding sFlow

Architecture of an sFlow System

As shown in Figure 1-4268, the sFlow system involves an sFlow agent embedded in a device and a remote sFlow collector. The sFlow agent obtains traffic statistics from an interface using sampling and encapsulates the statistics into sFlow packets. When an sFlow packet buffer overflows or an sFlow packet expires (expiry period of 1 second), the agent sends the sFlow packets to the collector. The collector analyzes these sFlow packets and displays traffic statistics in a report.

Figure 1-4268 sFlow system

An sFlow agent is usually deployed on a network device. This section describes its implementation.

An sFlow collector is a PC or server that receives sFlow packets from an sFlow agent. The client software, for example, sFlow Trend, must be installed on an sFlow collector to analyze sFlow packets. To obtain the sFlow Trend client and download the usage guide, visit www.sflow.org.

sFlow Packet Format

Figure 1-4268 shows the sFlow packet format. sFlow packets are encapsulated in UDP packets. By default, sFlow packets are transmitted by known port 6343. sFlow packets use the following packet header formats:
  • Flow sample
  • Expanded Flow sample
  • Counter sample
  • Expanded Counter sample
Expanded Flow sample and Expanded Counter sample are extensions to Flow sample and Counter sample, respectively. They are new in sFlow version 5 and incompatible with earlier versions. All expanded sampling packets must be encapsulated with the expanded sampling packet header.

Currently, devices support only sFlow version 5.

sFlow Sampling

An sFlow agent provides flow sampling and counter sampling.

Currently, devices support only flow sampling.

Flow sampling

With flow sampling, an agent samples ingress packets, egress packets, or both on an interface based on a sampling rate, and parses the packets to obtain information about packet data content. Table 1-1414 describes the main fields in flow sampling packets. Data in these fields is encapsulated into an sFlow packet and then sent to a collector. Flow sampling focuses on traffic attributes to monitor and parse traffic behaviors on the network. Flow sampling samples packets on an interface, and currently supports only random sampling. In random sampling mode, every N packets are sampled randomly.

Table 1-1414 Main fields in flow sampling packets

Field

Description

Raw Packet Header

Records the entire packet or part of the packet header.

Ethernet Frame Data

Analyzes Ethernet headers in Ethernet frames.

IPv4 Data

Analyzes IPv4 headers in IPv4 packets.

IPv6 Data

Analyzes IPv6 headers in IPv6 packets.

Extended Switch Data

Records VLAN translation and 802.1Q priority mapping information in Ethernet frames. VLAN ID 0 indicates an invalid VLAN.

Extended Router Data

Records routing information for packets.

Extended Gateway Data

Records BGP routing information for packets.

Counter sampling

With counter sampling, an agent periodically obtains traffic statistics on an interface. Table 1-1415 describes the main fields in counter sampling packets. Compared with flow sampling, counter sampling focuses on traffic statistics on an interface rather than traffic attributes.

Table 1-1415 Main fields in counter sampling packets

Field

Description

Generic Interface Counters

Records basic information and traffic statistics on an interface.

Ethernet Interface Counters

Records traffic statistics on an Ethernet interface.

Processor Information

Records CPU usage and memory usage of a device.

Flow sampling and counter sampling are independent of each other. Flow sampling obtains information about flows of a specified service, whereas counter sampling obtains traffic statistics on an interface. You can configure either or both sampling modes.

Application Scenarios for sFlow

To monitor enterprise networks, maintenance personnel often use traffic monitoring techniques.

Users of these networks often have specific requirements for traffic on an interface and expect devices to be reliable. Therefore, enterprises require a traffic monitoring technique on device interfaces to promptly identify traffic anomalies and the source of attack traffic so that they can quickly rectify faults to ensure network stability. sFlow collects traffic, forwarding, and device status information to enable real-time network monitoring and fault location on enterprise networks.

As shown in Figure 1-4269, an sFlow agent is connected to an sFlow collector so that traffic statistics can be collected and analyzed based on interfaces.

Figure 1-4269 Networking diagram for sFlow application

Terminology for sFlow

Terms

Term

Definition

sFlow agent

A network device running sFlow agent software. An sFlow agent collects traffic statistics and sends the traffic statistics to an sFlow collector.

sFlow collector

A device that receives sFlow packets from sFlow agents and displays traffic in icons or reports.

Acronyms and Abbreviations

Acronym and Abbreviation

Full Name

sFlow

Sampled Flow

sFlow Configuration

This chapter provides an overview of Sampled Flow (sFlow) and describes how to configure this traffic monitoring technology.

Overview of sFlow

Definition

Sampled Flow (sFlow) is a traffic monitoring technology that collects and analyzes traffic statistics based on packet sampling.

Purpose

Enterprise networks are generally smaller and more flexible than carrier networks. However, they are often prone to attacks and service exceptions. To help ensure network stability, enterprises require a traffic monitoring technique that can promptly identify traffic anomalies and the source of attack traffic, allowing them to quickly rectify faults.

sFlow is developed to meet the preceding requirement. sFlow is an interface-based traffic analysis technique that collects packets on an interface based on the sampling rate. In flow sampling, an sFlow agent analyzes the packets including the packet content and forwarding rule, and encapsulates the original packets and parsing result into sFlow packets. The sFlow agent then sends the sFlow packets to an sFlow collector. In counter sampling, an sFlow agent periodically collects traffic statistics on an interface, CPU usage, and memory usage.

sFlow focuses on traffic on an interface, traffic forwarding, and device running. Therefore, sFlow can be used to monitor and diagnose network exceptions. The sFlow collector displays traffic statistics in a report, facilitating preventive maintenance on enterprise networks, especially for enterprises that do not have specialized network administrators.

Currently, devices support only flow sampling.

Benefits

sFlow is comparable to NetStream. In NetStream, network devices collect and analyze traffic statistics. The devices save these statistics to a buffer and export them when they expire or when the buffer overflows. sFlow does not require a flow table. In sFlow, network devices only sample packets, and a remote collector collects and analyzes traffic statistics.

sFlow has the following advantages over NetStream:

  • Fewer resources and lower costs. sFlow requires no flow table and uses only a small number of network devices, lowering costs.
  • Flexible collector deployment. The collector can be deployed flexibly, enabling traffic statistics to be collected and analyzed according to various traffic characteristics.

Configuration Precautions for sFlow

Feature Requirements

Table 1-1416 Feature requirements

Feature Requirements

Series

Models

IPv4 private network routes and IPv6 private network routes support multi-PE load balancing. Route information is missing in the data sampled.

NetEngine 8000 M

NetEngine 8000 M14/NetEngine 8000 M14K/NetEngine 8000 M4/NetEngine 8000 M8/NetEngine 8000 M8K/NetEngine 8000E M14/NetEngine 8000E M8

sFlow sampling and NetStream sampling are mutually exclusive. Avoid this scenario during service planning. Otherwise, no sampling result is obtained.

NetEngine 8000 M

NetEngine 8000 M14/NetEngine 8000 M14K/NetEngine 8000 M4/NetEngine 8000 M8/NetEngine 8000 M8K/NetEngine 8000E M14/NetEngine 8000E M8

sFlow applies only to physical Ethernet interfaces and their sub-interfaces, and Eth-Trunk interfaces and their sub-interfaces.

NetEngine 8000 M

NetEngine 8000 M14/NetEngine 8000 M14K/NetEngine 8000 M4/NetEngine 8000 M8/NetEngine 8000 M8K/NetEngine 8000E M14/NetEngine 8000E M8

SR-MPLS TE does not support downstream sampling on the ingress PE.

NetEngine 8000 M

NetEngine 8000 M14/NetEngine 8000 M14K/NetEngine 8000 M4/NetEngine 8000 M8/NetEngine 8000 M8K/NetEngine 8000E M14/NetEngine 8000E M8

Configuring sFlow

Configuring sFlow Agent and Collector Information

Prerequisites

Before configuring sFlow, you have completed the following tasks:

  • Ensure that there are reachable routes between the sFlow agent and collector.
  • Create a VPN instance if the sFlow agent and collector are deployed on a private network.

Context

During sFlow configuration, you must create an sFlow collector and specify its address as the destination address for sFlow packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run sflow

    The sFlow view is displayed.

  3. Run sflow agent { ip ip-address | ipv6 ipv6-address }

    An IP address is configured for the sFlow agent.

    The address specified by ip-address must be a valid unicast address that has been configured on an interface of the device. The address specified by ipv6-address must be a global unicast address (it cannot be a link-local address).

  4. (Optional) Run sflow export extended-route-data disable

    The sFlow agent is disabled from collecting routing information.

  5. Run sflow collector collector-id

    An sFlow collector is configured.

    Up to two sFlow collectors can be configured in each VS.

  6. Run sflow server { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] [ udp-port port ]

    A destination address is specified for sFlow packets.

  7. (Optional) Run sflow max-packet-length length

    The maximum length of sFlow packets is set.

  8. Run commit

    The configuration is committed.

Configuring Flow Sampling

Flow sampling is based on data packets. An sFlow agent samples packets in a given direction on a specified interface based on a sampling rate. It then encapsulates the analysis result into sFlow packets and sends them to an sFlow collector.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run sflow enable

    sFlow is enabled on the board in the slot.

  4. Run commit

    The configuration is committed.

  5. Run quit

    Return to the system view.

  6. Run interface interface-type interface-number

    The interface view is displayed.

  7. Run sflow flow-sampling collector collector-id [ secondary secondary-collector-id ] { inbound | outbound }

    Flow sampling is enabled on the interface, and an sFlow agent is configured to send flow sampling data to a specified collector.

  8. Run sflow flow-sampling rate rate { inbound | outbound }

    A sampling rate is configured for the interface.

  9. Run commit

    The configuration is committed.

Verifying the sFlow Configuration

Prerequisites

sFlow has been configured.

Procedure

  1. Run the display sflow configuration command to check global sFlow configurations.
  2. Run the display sflow interface interface-type interface-number command to check the sFlow configuration on a specified interface.
  3. Run the display sflow packet statistics [ interface interface-type interface-number ] slot slot-id command to check statistics about sFlow packets sent on a specified interface or sFlow packets sent and received on a specified board.

Configuration Examples for sFlow

This section provides sFlow configuration examples.

Networking Requirements

As shown in Figure 1-4270, traffic between network 1 and network 2 is exchanged through device A. Maintenance personnel need to monitor the traffic on interface 2 and devices to identify traffic anomalies and ensure normal operation on network 1.

Figure 1-4270 sFlow network diagram

In this example:

  • Interface 1 is GE 0/1/1.
  • Interface 2 is GE 0/1/2.
  • Interface 3 is GE 0/1/3.

Configuration Roadmap

To configure sFlow, configure device A as an sFlow agent and enable Flow sampling on interface 2 so that the agent collects traffic statistics. The agent encapsulates traffic statistics into sFlow packets and sends the sFlow packets from interface 1 to the sFlow collector. The collector displays the traffic statistics based on information in the received sFlow packets.

The configuration roadmap is as follows:

  1. Assign an IP address to each interface.
  2. Configure sFlow agent and collector information on the device.
  3. Configure flow sampling on interface 2.

Procedure

  1. Assign an IP address to each interface of device A.

    <DeviceA> system-view
    [~DeviceA] interface GigabitEthernet 0/1/1
    [~DeviceA-GigabitEthernet0/1/1] ip address 10.1.10.1 24
    [*DeviceA-GigabitEthernet0/1/1] commit
    [~DeviceA] interface GigabitEthernet 0/1/2
    [~DeviceA-GigabitEthernet0/1/2] ip address 10.1.20.1 24
    [*DeviceA-GigabitEthernet0/1/2] commit
    [~DeviceA] interface GigabitEthernet 0/1/3
    [~DeviceA-GigabitEthernet0/1/3] ip address 10.1.30.1 24
    [*DeviceA-GigabitEthernet0/1/3] commit
    [~DeviceA-GigabitEthernet0/1/3] quit

  2. Configure sFlow agent and collector information.

    # Configure an IP address for an sFlow agent.

    [~DeviceA] sflow
    [~DeviceA-sflow] sflow agent ip 10.1.10.1
    [*DeviceA-sflow] commit

    # Configure sFlow collector information.

    [~DeviceA-sflow] sflow collector 2
    [*DeviceA-sflow-collector-2] commit
    [~DeviceA-sflow-collector-2] sflow server ip 10.1.10.2
    [*DeviceA-sflow-collector-2] commit
    [~DeviceA-sflow-collector-2] quit
    [~DeviceA-sflow] quit

  3. Enable sFlow on a specified board.

    [~DeviceA] slot 9
    [~DeviceA-slot-9] sflow enable
    [*DeviceA-slot-9] commit
    [*DeviceA-slot-9] quit

  4. Configure flow sampling.

    [~DeviceA] interface GigabitEthernet 0/1/2
    [~DeviceA-GigabitEthernet0/1/2] sflow flow-sampling collector 2 inbound
    [*DeviceA-GigabitEthernet0/1/2] commit
    [~DeviceA-GigabitEthernet0/1/2] sflow flow-sampling rate 4000 inbound
    [*DeviceA-GigabitEthernet0/1/2] commit
    [~DeviceA-GigabitEthernet0/1/2] quit

  5. Verify the configuration.

    [~DeviceA] display sflow configuration
sflow
 sflow agent ip 10.1.10.1
 sflow collector 2
  sflow server ip 10.1.10.2
slot 9
 sflow enable
interface GigabitEthernet0/1/2
 sflow flow-sampling collector 2 inbound
 sflow flow-sampling rate 4000 inbound

Configuration Files

Device A configuration file

#
sysname DeviceA
#
interface GigabitEthernet0/1/1
ip address 10.1.10.1 255.255.255.0
#
interface GigabitEthernet0/1/2
ip address 10.1.20.1 255.255.255.0
#
interface GigabitEthernet0/1/3
ip address 10.1.30.1 255.255.255.0
#
sflow
sflow agent ip 10.1.10.1
sflow collector 2
sflow server ip 10.1.10.2
slot 9
sflow enable
#
interface GigabitEthernet0/1/2
sflow flow-sampling collector 2 inbound
sflow flow-sampling rate 4000 inbound
#
return
Translation
Favorite
Download
Update Date:2022-11-29
Document ID:EDOC1100279274
Views:348611
Downloads:1869
Average rating:3.0Points

Related Documents

Digital Signature File

digtal sigature tool