sflow extreme (1)
TRANSCRIPT
-
8/7/2019 SFlow Extreme (1)
1/5
Extreme Networks White Paper
Making the Network Visible With sFlow
Abstract
The objective o this white paper is to present the sFlow trafc
sampling technology and Extreme Networks sFlow implementa-
tion on the Ethernet switch products. sFlow will provide the great
visibility in the network by its sampling technology to monitor the
network status. By providing complete visibility into the network
usage o todays high-speed and complex networks, you will be
able to eectively control and manage network usage, helping to
ensure that network services provide a competitive advantage.
2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.
-
8/7/2019 SFlow Extreme (1)
2/5Network sFlow Page
Extreme Networks White Paper
Trafc Monitoring using sFlow
With the ever-increasing reliance on network services or
business critical applications, the smallest change in
network usage can impact the perormance and reliability o
a network. This has a direct impact on the ability o a
company to conduct key business unctions and on the cost
o maintaining network services. Thereore, it is importantto monitor the network trac in order to keep the network
operating reliably and at the right perormance level.
sFlow is a sampling technology that meets the key require-
ments or a network trac monitoring solution:
sFlow provides a network-wide view o usage and
active routes. It is a scalable technique or measuring
network trac, collecting, storing, and analyzing
trac data. This enables tens o thousands o
interaces to be monitored rom a single location.
sFlow is scalable thereby enabling it to monitor links
o speeds up to 10 Gigabits per Second (Gbps) and
beyond without impacting the perormance o core
Internet routers and switches, and without adding
signicant network load.
sFlow is an industry standard with a growing number
o vendors delivering products with sFlow support.
By providing unprecedented visibility into network usage
and active routes o even todays high-speed and complex
networks, sFlow provides the data required to eectively
control and manage network usage, ensuring that network
services provide a competitive advantage.
Applications o sFlow data include:
Detecting, diagnosing, and xing network problems
Real-time congestion management
Understanding application mix (e.g. P2P, Web, DNS
etc) and changes
Usage accounting or billing and charge-back
Audit trail analysis to identiy unauthorized network
activity and trace the sources o denial-o-service
attacks
Route proling and peering optimization
Trending and capacity planning.
Extreme Networks has added support or the sFlow
protocol to its switching product line because o the need
or increased visibility into network trac, even at very high
speeds such as 10 Gbps.
-
-
-
-
-
-
-
-
-
-
A Brie History o Packet Sampling
Packet sampling has been used to monitor network trac
or over ten years. Hewlett-Packard rst demonstrated
network-wide monitoring using packet sampling o the
University o Geneva and CERN networks at Telecom 91.
This was ollowed up with the introduction o networking
products with embedded packet sampling capabilityHPExtended RMONin 1993.
However, broad acceptance o this technique is only just
starting, driven by the introduction o higher speed
networks and the transition rom shared to switched
networks. Packet based sampling as an embedded network
trac monitoring technique is now compelling. In a
switched environment, the most eective place to monitor
trac is within the switch/router, where all the trac will
be seen. Traditional probes will only have a partial view o
trac. However, a trac monitoring solution embedded
within a switch or router must not impact orwarding
perormance. Switches and routers with embedded sFlow
sampling technology have been available since 2001. This
solution provides detailed and quantitative trac measure-
ments, at gigabit speeds, gives insight into orwarding
decisions, and does not impact orwarding or network
perormance.
sFlow Technology Overview
sFlow provides the ability to continuously monitor applica-
tion level trac fows at wire speed on all interaces
simultaneously.
2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.
Switch/Router
sFlow Diagram
InterfaceCounters
Management
Switching/Routing ASICs
FlowSamples
sFlowAgent
Flow Sampling
Figure 1: sFlow Agent Embedded in Switch/Router
Total_Packets = 0Total_Packets = 0Skip = NextSkip(Rate)
Wait for Packet
Assign DestinationInterface
Decrement_SkipIncrement Total_Packages
ExcludePacket?
Skip = 0?
Yes
Yes
No
No
Send Packet toDestination Interface
Send copy of Sampled
Packet, Source Interface,Destination Interface,Total_Samples and
Total_Packets to Agents
Skip = NextSkip(Rate)Increment Total_Samples
-
8/7/2019 SFlow Extreme (1)
3/5
Extreme Networks White Paper
The sFlow Agent is a sotware process that runs as part o
the network management sotware within a device (see
Figure 2). It combines interace counters and fow samples
into sFlow datagrams that are sent across the network to an
sFlow Collector. The state o the orwarding/routing table
entries associated with each sampled packet is also
recorded.
The sFlow Agent does very little processing. It simply
packages data into sFlow Datagrams that are immediately
sent on the network. Immediate orwarding o data
minimizes memory and CPU requirements associated with
the sFlow Agent.
Figure 2 shows the basic elements o the sFlow system.
sFlow Agents throughout the network continuously senda stream o sFlow Datagrams to a central sFlow Collector
where they are analyzed to produce a rich, real-time,
network-wide view o trac fows. sFlow monitoring o
high-speed, routed and switched networks has the
ollowing properties:
AccurateThe sFlow system is designed so that the
accuracy o any measurement can be determined.
Other trac fow measurement technologies clip
under heavy loads resulting in errors that are
dicult to quantiy.
-
DetailedComplete packet header and switching/
routing inormation permits detailed analysis o Layer
2-Layer 7 trac fows.
ScalableThe sFlow system is scalable in both the
size and speed o the network it can monitor. sFlow is
capable o monitoring networks at 10Gbps, 100Gbps
and beyond. Thousands o devices can be monitored
by a single sFlow Collector.
Low CostThe sFlow Agent is very simple to
implement and adds negligible cost to a switch or
router.
TimelyThe sFlow Collector always has an up to the
minute view o trac throughout the entire network.
Timely inormation is particularly important i the
trac data is needed to provide real-time controls,
or example to manage quality o service or to deend
against a denial o service attack.
Using sFlow
Using sFlow to continuously monitor trac fows on all
ports gives network-wide visibility into the use o the
network. This visibility replaces guesswork, undamen-
tally changing the way that network services are man-
aged.
Troubleshooting Network Problems
Any use o a network generates trac. Consequently,
problems are oten rst observable in abnormal trac
patterns. sFlow makes these abnormal trac patterns
visible with sucient detail to enable rapid identication,
diagnosis, and correction.
Controlling Congestion
By monitoring trac fows on all ports continuously,
sFlow can be used to instantly highlight congested links,
identiy the source o the trac, and the associated
application level conversations. sFlow provides the
necessary inormation to determine eective controls,
or example which trac to rate control or prioritize or
where to provision more bandwidth.
Security and Audit Trail Analysis
Gartner estimates that 70% o security incidents thatactually cause loss to enterprises involve insiders, while
service providers and other organizations are constantly
bombarded with various external attacks. A comprehen-
sive security strategy involves protecting the network
rom external and internal misuse and inormation assets
rom thet.
Since attacks and security threats will come rom
unknown sources, eective security monitoring requires
complete network surveillance, with alerts to suspicious
activity. sFlow provides this blanket audit trail, or the
whole network. The continuous network-wide surveillance
-
-
-
-
2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.
Figure 2: sFlow Agents and Collector
Traffic Data
Analysis
sFlow DatagramssFlow Agents
sFlow Page 2
-
8/7/2019 SFlow Extreme (1)
4/5
Extreme Networks White Paper
and route tracing inormation provided by sFlow
allows internal and externally sourced security
threats and attacks to be rapidly traced and con-
trolled. When sFlow is used to build a detailed trac
history a baseline o normal behavior is established,
rom which anomalies can be detected and suspicious
activity identied.
By giving visibility into real-time and historical
network-wide usage, sFlow can be used to prevent
intentional attacks, minimize unintentional mistakes,
and protect inormation assets.
Availability
sFlow solutions consist o:ExtremeXOS powered switches running Extre-
meXOS 11.0 or greater
A sotware application that receives and analyzes
sFlow data
The ollowing platorms support hardware-basedsampling at a programmed interval:
BlackDiamond 10808 switch
BlackDiamond 8800 e-series modules
BlackDiamond 8800 a-series modules
Summit X450e series switches
Summit X450a series switches
With hardware-based sampling, the data path or apacket that traverses the switch does not require
processing by the CPU. Fast path packets are handled
entirely by ASICs and are orwarded at wire-speed
rate.
Hardware based sampling enables more accurate
inormation correction by having the more samples to
be used and provides better scalability and security
under conditions such as high trac load.
A number o sotware applications take advantage o
the sFlow network trac monitoring capability inthese switches. These applications provide a variety
o solutions including congestion control and trouble-
shooting, route proling, audit trail security analysis
and accounting or billing.
A ull list o sFlow solutions can be ound at
www.sFlow.org
-
-
Appendix A: Confguring sFlow inExtremeWare and ExtremeXOS
Confguring sFlow
ExtremeWare and ExtremeXOS allow the collection
o sFlow statistics on a per port basis. An agent,
residing in the switch, sends data to the collector,
typically a Windows or Linux server.
Appendix A explains how you congure sFlow on
ExtremeXOS system.
To congure sFlow on a switch, you must do the
ollowing tasks:
Congure the local agent
Congure the addresses o the remote collectors
Enable sFlow globally on the switch
Enable sFlow on the desired ports
Optionally, you may also change the deault values o
the ollowing items:
How oten the statistics are collected
How requently a sample is taken, globally or per port
How many samples per second can be sent to the CPU
Confguring the Remote Collector Address
You can speciy up to our remote collectors to send the
sFlow data to. Typically, you would congure the IP address
o each collector. You may also speciy a UDP port numberdierent rom the deault value o 6343, and/or a virtual
router dierent rom the deault o VR-Mgmt. When you
congure a collector, the system creates a database entry
or that collector that remains until the collector is uncon-
gured. All the congured collectors are displayed in the
show sfow {congure} command. To congure the remote
collector, use the ollowing command:
To uncongure the remote collector and remove it rom the
database, use the ollowing command:
2006 Extreme Networks, Inc. All rights reserved. Do not reproduce. sFlow Page
configure sflow collector {ipaddress}
{port }
{vr }
unconfigure sflow collector {ipaddress}
{port }
{vr }
-
8/7/2019 SFlow Extreme (1)
5/5
Extreme Networks White Paper
Additional sFlow Confguration Options
You can congure three global options to dierent values
rom the deaults. These options aect how requently the
sFlow data is sent to the remote collector, how requently
packets are sample and the maximum number o sFlow
samples that could be processed in the CPU per second.
You can also congure how requently packets are sampled
per port.
Polling Interval
Each port counter is periodically polled to gather the
statistics to send to the collector. I there is more than one
counter to be polled, the polling is distributed in such a way
that each counter is visited once during each polling
interval, and the data fows are spaced in time. For example,
assume that the polling interval is 20 seconds and there are
40 counters to poll. Two ports will be polled each second,
until all 40 are polled. To congure the polling interval, use
the ollowing command:
Global Sampling Rate
The deault sample rate is 8192, so by deault sFlow
samples one packet out o every 8192 received. This can be
changed with the ollowing command:
Per Port Sampling RateThe per port sampling rate overrides the system-wide value
set in the congure sfow sample-rate command. The rate is
rounded o to the next power o two, so i 400 is specied,
the sample rate is congured as 512. The valid range is 1 to
536870912. To set the sampling rate on individual ports, use
the ollowing command:
Displaying sFlow Inormation
To display the current conguration o sFlow, use the
ollowing command:
To display the sFlow statistics, use the ollowing command:
configure sflow poll-interval
configure sflow sample-rate
www.extremenetworks.com email: [email protected]
Corporate
and North America
Extreme Networks, Inc.
585 Monroe Street,
Santa Clara, CA 9505 USA
Phone + 408 579 2800
Europe, Middle East, Arica
and South America
Phone + 0 800 500
Asia Pacifc
Phone +852 257 2
Japan
Phone +8 5842 40
2006 Extreme Networks, Inc. All rights reser ved. Do not reproduce.
Extreme Networks, the Extreme Networks Logo, BlackDiamond, ExtremeWare, ExtremeXOS and Summit are either registered trademarks or
trademarks o Extreme Networks, Inc. in the United States and/or other countries. sFlow is a registered trademark o sFlow.org.
Specifcations are subject to change without notice.
247_0 07/06 sFlow White Paper
show sflow configuration
configure sflow sample-rate
show sflow statistics