sflow extreme (1)

8/7/2019 SFlow Extreme (1)

1/5

Extreme Networks White Paper

Making the Network Visible With sFlow

Abstract

The objective o this white paper is to present the sFlow trafc

sampling technology and Extreme Networks sFlow implementa-

tion on the Ethernet switch products. sFlow will provide the great

visibility in the network by its sampling technology to monitor the

network status. By providing complete visibility into the network

usage o todays high-speed and complex networks, you will be

able to eectively control and manage network usage, helping to

ensure that network services provide a competitive advantage.

2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.


2/5Network sFlow Page


Trafc Monitoring using sFlow

With the ever-increasing reliance on network services or

business critical applications, the smallest change in

network usage can impact the perormance and reliability o

a network. This has a direct impact on the ability o a

company to conduct key business unctions and on the cost

o maintaining network services. Thereore, it is importantto monitor the network trac in order to keep the network

operating reliably and at the right perormance level.

sFlow is a sampling technology that meets the key require-

ments or a network trac monitoring solution:

sFlow provides a network-wide view o usage and

active routes. It is a scalable technique or measuring

network trac, collecting, storing, and analyzing

trac data. This enables tens o thousands o

interaces to be monitored rom a single location.

sFlow is scalable thereby enabling it to monitor links

o speeds up to 10 Gigabits per Second (Gbps) and

beyond without impacting the perormance o core

Internet routers and switches, and without adding

signicant network load.

sFlow is an industry standard with a growing number

o vendors delivering products with sFlow support.

By providing unprecedented visibility into network usage

and active routes o even todays high-speed and complex

networks, sFlow provides the data required to eectively

control and manage network usage, ensuring that network

services provide a competitive advantage.

Applications o sFlow data include:

Detecting, diagnosing, and xing network problems

Real-time congestion management

Understanding application mix (e.g. P2P, Web, DNS

etc) and changes

Usage accounting or billing and charge-back

Audit trail analysis to identiy unauthorized network

activity and trace the sources o denial-o-service

attacks

Route proling and peering optimization

Trending and capacity planning.

Extreme Networks has added support or the sFlow

protocol to its switching product line because o the need

or increased visibility into network trac, even at very high

speeds such as 10 Gbps.

-

-

-

-

-

-

-

-

-

-

A Brie History o Packet Sampling

Packet sampling has been used to monitor network trac

or over ten years. Hewlett-Packard rst demonstrated

network-wide monitoring using packet sampling o the

University o Geneva and CERN networks at Telecom 91.

This was ollowed up with the introduction o networking

products with embedded packet sampling capabilityHPExtended RMONin 1993.

However, broad acceptance o this technique is only just

starting, driven by the introduction o higher speed

networks and the transition rom shared to switched

networks. Packet based sampling as an embedded network

trac monitoring technique is now compelling. In a

switched environment, the most eective place to monitor

trac is within the switch/router, where all the trac will

be seen. Traditional probes will only have a partial view o

trac. However, a trac monitoring solution embedded

within a switch or router must not impact orwarding

perormance. Switches and routers with embedded sFlow

sampling technology have been available since 2001. This

solution provides detailed and quantitative trac measure-

ments, at gigabit speeds, gives insight into orwarding

decisions, and does not impact orwarding or network

perormance.

sFlow Technology Overview

sFlow provides the ability to continuously monitor applica-

tion level trac fows at wire speed on all interaces

simultaneously.


Switch/Router

sFlow Diagram

InterfaceCounters

Management

Switching/Routing ASICs

FlowSamples

sFlowAgent

Flow Sampling

Figure 1: sFlow Agent Embedded in Switch/Router

Total_Packets = 0Total_Packets = 0Skip = NextSkip(Rate)

Wait for Packet

Assign DestinationInterface

Decrement_SkipIncrement Total_Packages

ExcludePacket?

Skip = 0?

Yes

Yes

No

No

Send Packet toDestination Interface

Send copy of Sampled

Packet, Source Interface,Destination Interface,Total_Samples and

Total_Packets to Agents

Skip = NextSkip(Rate)Increment Total_Samples


3/5


The sFlow Agent is a sotware process that runs as part o

the network management sotware within a device (see

Figure 2). It combines interace counters and fow samples

into sFlow datagrams that are sent across the network to an

sFlow Collector. The state o the orwarding/routing table

entries associated with each sampled packet is also

recorded.

The sFlow Agent does very little processing. It simply

packages data into sFlow Datagrams that are immediately

sent on the network. Immediate orwarding o data

minimizes memory and CPU requirements associated with

the sFlow Agent.

Figure 2 shows the basic elements o the sFlow system.

sFlow Agents throughout the network continuously senda stream o sFlow Datagrams to a central sFlow Collector

where they are analyzed to produce a rich, real-time,

network-wide view o trac fows. sFlow monitoring o

high-speed, routed and switched networks has the

ollowing properties:

AccurateThe sFlow system is designed so that the

accuracy o any measurement can be determined.

Other trac fow measurement technologies clip

under heavy loads resulting in errors that are

dicult to quantiy.

-

DetailedComplete packet header and switching/

routing inormation permits detailed analysis o Layer

2-Layer 7 trac fows.

ScalableThe sFlow system is scalable in both the

size and speed o the network it can monitor. sFlow is

capable o monitoring networks at 10Gbps, 100Gbps

and beyond. Thousands o devices can be monitored

by a single sFlow Collector.

Low CostThe sFlow Agent is very simple to

implement and adds negligible cost to a switch or

router.

TimelyThe sFlow Collector always has an up to the

minute view o trac throughout the entire network.

Timely inormation is particularly important i the

trac data is needed to provide real-time controls,

or example to manage quality o service or to deend

against a denial o service attack.

Using sFlow

Using sFlow to continuously monitor trac fows on all

ports gives network-wide visibility into the use o the

network. This visibility replaces guesswork, undamen-

tally changing the way that network services are man-

aged.

Troubleshooting Network Problems

Any use o a network generates trac. Consequently,

problems are oten rst observable in abnormal trac

patterns. sFlow makes these abnormal trac patterns

visible with sucient detail to enable rapid identication,

diagnosis, and correction.

Controlling Congestion

By monitoring trac fows on all ports continuously,

sFlow can be used to instantly highlight congested links,

identiy the source o the trac, and the associated

application level conversations. sFlow provides the

necessary inormation to determine eective controls,

or example which trac to rate control or prioritize or

where to provision more bandwidth.

Security and Audit Trail Analysis

Gartner estimates that 70% o security incidents thatactually cause loss to enterprises involve insiders, while

service providers and other organizations are constantly

bombarded with various external attacks. A comprehen-

sive security strategy involves protecting the network

rom external and internal misuse and inormation assets

rom thet.

Since attacks and security threats will come rom

unknown sources, eective security monitoring requires

complete network surveillance, with alerts to suspicious

activity. sFlow provides this blanket audit trail, or the

whole network. The continuous network-wide surveillance

-

-

-

-


Figure 2: sFlow Agents and Collector

Traffic Data

Analysis

sFlow DatagramssFlow Agents

sFlow Page 2


4/5


and route tracing inormation provided by sFlow

allows internal and externally sourced security

threats and attacks to be rapidly traced and con-

trolled. When sFlow is used to build a detailed trac

history a baseline o normal behavior is established,

rom which anomalies can be detected and suspicious

activity identied.

By giving visibility into real-time and historical

network-wide usage, sFlow can be used to prevent

intentional attacks, minimize unintentional mistakes,

and protect inormation assets.

Availability

sFlow solutions consist o:ExtremeXOS powered switches running Extre-

meXOS 11.0 or greater

A sotware application that receives and analyzes

sFlow data

The ollowing platorms support hardware-basedsampling at a programmed interval:

BlackDiamond 10808 switch

BlackDiamond 8800 e-series modules

BlackDiamond 8800 a-series modules

Summit X450e series switches

Summit X450a series switches

With hardware-based sampling, the data path or apacket that traverses the switch does not require

processing by the CPU. Fast path packets are handled

entirely by ASICs and are orwarded at wire-speed

rate.

Hardware based sampling enables more accurate

inormation correction by having the more samples to

be used and provides better scalability and security

under conditions such as high trac load.

A number o sotware applications take advantage o

the sFlow network trac monitoring capability inthese switches. These applications provide a variety

o solutions including congestion control and trouble-

shooting, route proling, audit trail security analysis

and accounting or billing.

A ull list o sFlow solutions can be ound at

www.sFlow.org

-

-

Appendix A: Confguring sFlow inExtremeWare and ExtremeXOS

Confguring sFlow

ExtremeWare and ExtremeXOS allow the collection

o sFlow statistics on a per port basis. An agent,

residing in the switch, sends data to the collector,

typically a Windows or Linux server.

Appendix A explains how you congure sFlow on

ExtremeXOS system.

To congure sFlow on a switch, you must do the

ollowing tasks:

Congure the local agent

Congure the addresses o the remote collectors

Enable sFlow globally on the switch

Enable sFlow on the desired ports

Optionally, you may also change the deault values o

the ollowing items:

How oten the statistics are collected

How requently a sample is taken, globally or per port

How many samples per second can be sent to the CPU

Confguring the Remote Collector Address

You can speciy up to our remote collectors to send the

sFlow data to. Typically, you would congure the IP address

o each collector. You may also speciy a UDP port numberdierent rom the deault value o 6343, and/or a virtual

router dierent rom the deault o VR-Mgmt. When you

congure a collector, the system creates a database entry

or that collector that remains until the collector is uncon-

gured. All the congured collectors are displayed in the

show sfow {congure} command. To congure the remote

collector, use the ollowing command:

To uncongure the remote collector and remove it rom the

database, use the ollowing command:

2006 Extreme Networks, Inc. All rights reserved. Do not reproduce. sFlow Page

configure sflow collector {ipaddress}

{port }

{vr }

unconfigure sflow collector {ipaddress}

{port }

{vr }


5/5


Additional sFlow Confguration Options

You can congure three global options to dierent values

rom the deaults. These options aect how requently the

sFlow data is sent to the remote collector, how requently

packets are sample and the maximum number o sFlow

samples that could be processed in the CPU per second.

You can also congure how requently packets are sampled

per port.

Polling Interval

Each port counter is periodically polled to gather the

statistics to send to the collector. I there is more than one

counter to be polled, the polling is distributed in such a way

that each counter is visited once during each polling

interval, and the data fows are spaced in time. For example,

assume that the polling interval is 20 seconds and there are

40 counters to poll. Two ports will be polled each second,

until all 40 are polled. To congure the polling interval, use

the ollowing command:

Global Sampling Rate

The deault sample rate is 8192, so by deault sFlow

samples one packet out o every 8192 received. This can be

changed with the ollowing command:

Per Port Sampling RateThe per port sampling rate overrides the system-wide value

set in the congure sfow sample-rate command. The rate is

rounded o to the next power o two, so i 400 is specied,

the sample rate is congured as 512. The valid range is 1 to

536870912. To set the sampling rate on individual ports, use

the ollowing command:

Displaying sFlow Inormation

To display the current conguration o sFlow, use the

ollowing command:

To display the sFlow statistics, use the ollowing command:

configure sflow poll-interval

configure sflow sample-rate

www.extremenetworks.com email: [email protected]

Corporate

and North America

Extreme Networks, Inc.

585 Monroe Street,

Santa Clara, CA 9505 USA

Phone + 408 579 2800

Europe, Middle East, Arica

and South America

Phone + 0 800 500

Asia Pacifc

Phone +852 257 2

Japan

Phone +8 5842 40

2006 Extreme Networks, Inc. All rights reser ved. Do not reproduce.

Extreme Networks, the Extreme Networks Logo, BlackDiamond, ExtremeWare, ExtremeXOS and Summit are either registered trademarks or

trademarks o Extreme Networks, Inc. in the United States and/or other countries. sFlow is a registered trademark o sFlow.org.

Specifcations are subject to change without notice.

247_0 07/06 sFlow White Paper

show sflow configuration

configure sflow sample-rate

show sflow statistics

sflow extreme (1)

Documents