2. sFlow

2.1. Overview

sFlow is used to monitor data traffic flows traversing different points in a network. The sFlow functionality uses an sFlow agent and an sFlow collector. The agent is software that runs on a network element and samples and reports flow headers and statistics. The collector is software that typically runs on a remote server and receives the flow headers and statistics from one or more sFlow agents.

Sampling and reporting is accomplished as the sFlow agent running on a network element takes periodic samples of ingress traffic and reports the data to one or more collectors. The network element does not need to maintain a local flow cache. Instead, the sampled header information is immediately sent to the collector without additional processing.

The SR Linux supports sFlow version 5 behavior and formats.

Note:

sFlow is not supported on 7220 IXR-D1 systems.

2.1.1. sFlow sampling

sFlow works by sampling flow data and reporting the samples to the configured sFlow collectors. Based on the configured system sampling rate, the forwarding plane samples ingress packet flows and sends the sampled headers to the sFlow agent in the control plane.

All ingress packets are subject to sampling. Each sample includes the top 256 bytes of the sampled packet, starting at the outer Ethernet header. The sampled packets are sent to the configured sFlow collectors with the sampled data in sFlow raw packet data format.

For sampled IPv4 packets, the IPv4 header data fields are sent with the raw data. For sampled IPv6 packets, the IPv6 header data fields are sent with the raw data.

2.1.2. sFlow collector reporting

sFlow reports sampled headers and statistics to the configured collectors using IP/UDP datagrams. UDP port 6343 is the default destination port, but you can optionally configure a different port. Sampled packets are sent as soon as the samples are taken, and interface statistics are sent based on the configured poll-interval (default 2 seconds). SR Linux supports up to 8 remote sFlow collectors. Each collector can only have one IPv4 address.

2.2. Configuring sFlow

2.2.1. Configuring the sFlow agent

To configure the sFlow agent on the system, you enable sFlow, optionally configure the sampling rate (by default, 1 out of every 10,000 packets), and sample size (by default, 256 bytes are sampled from each packet).

Example:

The following example enables sFlow on the system and configures the system sampling rate and sample size.

--{ * candidate shared }--[ ]--

system {

sflow {

admin-state enable

sample-rate 15000

sample-size 256

}

2.2.2. Configuring sFlow collectors

The sFlow agent sends sampled packets to sFlow collectors. You can configure up to 8 sFlow collectors to receive the data. To configure an sFlow collector, you specify its IP address, associated network instance, and IP address to be used as the source IP address in sFlow packets sent from the SR Linux to the collector. You can optionally specify a destination port (by default, this is UDP port 6343).

Note:

Configuring a network-instance is mandatory. Also, a collector cannot be reached using the mgmt network-instance.

Example:

The following example configures two sFlow collectors. The IP address for each collector is configured, as well as its network instance and source IP address. Each collector receives all samples.

--{ * candidate shared }--[ ]--

system {

sflow {

collector 1 {

collector-address 1.3.4.4

source-address 2.2.2.2

network-instance default

collector 2 {

collector-address 2.3.4.4

source-address 2.3.2.2

network-instance default

port 4310

}

2.2.3. Configuring sFlow for an interface

When sFlow is configured for an interface, the ingress packets are taken for sampling according to the sample-rate.

Example:

The following example enables sFlow on an interface.

--{ * candidate shared }--[ ]--

interface ethernet-1/1 {

sflow {

admin-state enable

}

2.3. Displaying sFlow information

2.3.1. Viewing the state of the sFlow agent

To display the system-wide state of the sFlow agent, including any sFlow parameters, collector configuration, and general statistics, use the info from state command in candidate or running mode, or the info command in state mode.

Example:

--{ running }--[ ]--

# info from state system sflow

system {

sflow {

admin-state enable

sample-rate 8000

sample-size 256

collector 1 {

collector-address 10.1.1.1

network-instance default

source-address 1.2.3.4

port 6343

}

statistics {

total-samples-taken 0

total-sent-packets 0

}

2.3.2. Viewing the status of the sFlow agent

Use the show system sflow status command in show mode to display the general status of the sFlow agent:

Example:

--{ running }--[ ]--

# enter show

# show system sflow status

-------------------------------------

Admin State : enable

Sample Rate : 10000

Sample Size : 256

Total Samples : 0

Total Collector Packets: 3269158

-------------------------------------

collector-id : 8

collector-address: 172.10.10.10

network-instance : default

source-address : 10.0.0.1

port : 6343

next-hop : 18.7.8.1

-------------------------------------

2.4. sFlow formats

Figure 1 shows an example of a raw packet header for an sFlow format.

Figure 1: Raw packet header

2.5. Sampled data example

The following is an example of sampled data:

InMon sFlow

Datagram version: 5

Agent address type: IPv4 (1)

Agent address: 0.0.0.0

Sub-agent ID: 2

Sequence number: 0

SysUptime: 0

NumSamples: 1

Flow sample, seq 0

0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0)

.... .... .... .... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)

Sample length (byte): 141

Sequence number: 0

0000 0000 .... .... .... .... .... .... = Source ID class: 0

.... .... 0000 0000 0000 0000 0011 0110 = Index: 54

Sampling rate: 1 out of 5 packets

Sample pool: 0 total packets

Dropped packets: 0

Input interface (ifIndex): 54

.000 0000 0000 0000 0000 0000 0011 0110 = Output interface (ifIndex): 54

Flow record: 1

Raw packet header

0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0)

Format: Raw packet header (1)

Flow data length (byte): 101

Header protocol: Ethernet (1)

Frame Length: 98

Payload removed: 0

Original packet length: 85

Header of sampled packet:

000c00020000000000111111080045000052000000004006...

Ethernet II, Src: 00:00:00_11:11:11 (00:00:00:11:11:11),

Dst: BebIndus_02:00:00 (00:0c:00:02:00:00)

Destination: BebIndus_02:00:00 (00:0c:00:02:00:00)

Source: 00:00:00_11:11:11 (00:00:00:11:11:11)

Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 10.100.1.2, Dst: 10.1.1.2

0100 .... = Version: 4

.... 0101 = Header Length: 20 bytes (5)

Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

Total Length: 82

Identification: 0x0000 (0)

Flags: 0x00

Fragment offset: 0

Time to live: 64

Protocol: TCP (6)

Header checksum: 0x35a1 [validation disabled]

[Header checksum status: Unverified]

Source: 10.100.1.2

Destination: 10.1.1.2767689

[Source GeoIP: Unknown]

[Destination GeoIP: Unknown]

Transmission Control Protocol, Src Port: 0, Dst Port: 0, Seq: 0

LBT-TCP Protocol

LBMC Protocol

[Unreassembled Packet: LBT-TCP]