Вы находитесь на странице: 1из 5

Extreme Networks White Paper

Making the Network Visible With sFlow

Abstract
The objective of this white paper is to present the sFlow traffic
sampling technology and Extreme Networks’ sFlow implementa-
tion on the Ethernet switch products. sFlow will provide the great
visibility in the network by its sampling technology to monitor the
network status. By providing complete visibility into the network
usage of today’s high-speed and complex networks, you will be
able to effectively control and manage network usage, helping to
ensure that network services provide a competitive advantage.

© 2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.


Extreme Networks White Paper

Traffic Monitoring using sFlow® A Brief History of Packet Sampling


With the ever-increasing reliance on network services for Packet sampling has been used to monitor network traffic
business critical applications, the smallest change in for over ten years. Hewlett-Packard first demonstrated
network usage can impact the performance and reliability of network-wide monitoring using packet sampling of the
a network. This has a direct impact on the ability of a University of Geneva and CERN networks at Telecom 91.
company to conduct key business functions and on the cost This was followed up with the introduction of networking
of maintaining network services. Therefore, it is important products with embedded packet sampling capability—HP
to monitor the network traffic in order to keep the network Extended RMON—in 1993.
operating reliably and at the right performance level.
However, broad acceptance of this technique is only just
sFlow is a sampling technology that meets the key require- starting, driven by the introduction of higher speed
ments for a network traffic monitoring solution: networks and the transition from shared to switched
networks. Packet based sampling as an embedded network
- sFlow provides a network-wide view of usage and traffic monitoring technique is now compelling. In a
active routes. It is a scalable technique for measuring switched environment, the most effective place to monitor
network traffic, collecting, storing, and analyzing traffic is within the switch/router, where all the traffic will
traffic data. This enables tens of thousands of be seen. Traditional probes will only have a partial view of
interfaces to be monitored from a single location.
traffic. However, a traffic monitoring solution embedded
- sFlow is scalable thereby enabling it to monitor links within a switch or router must not impact forwarding
of speeds up to 10 Gigabits per Second (Gbps) and performance. Switches and routers with embedded sFlow
beyond without impacting the performance of core sampling technology have been available since 2001. This
Internet routers and switches, and without adding
solution provides detailed and quantitative traffic measure-
significant network load.
ments, at gigabit speeds, gives insight into forwarding
- sFlow is an industry standard with a growing number decisions, and does not impact forwarding or network
of vendors delivering products with sFlow support. performance.

By providing unprecedented visibility into network usage sFlow Technology Overview


and active routes of even today’s high-speed and complex
networks, sFlow provides the data required to effectively sFlow provides the ability to continuously monitor applica-
control and manage network usage, ensuring that network tion level traffic flows at wire speed on all interfaces
services provide a competitive advantage. simultaneously.

Applications of sFlow data include:

- Detecting, diagnosing, and fixing network problems


sFlow Diagram Flow Sampling
- Real-time congestion management Total_Packets = 0
Total_Packets = 0
Switch/Router Skip = NextSkip(Rate)

- Understanding application mix (e.g. P2P, Web, DNS Wait for Packet

etc) and changes sFlow


Management Yes Exclude
Agent Packet?
- Usage accounting for billing and charge-back No

Interface Flow Assign Destination


Interface
- Audit trail analysis to identify unauthorized network Counters Samples
Decrement_Skip

activity and trace the sources of denial-of-service Switching/Routing ASICs


Increment Total_Packages

Skip = NextSkip(Rate) Yes


attacks Increment Total_Samples
Skip = 0?
Send copy of Sampled
Packet, Source Interface, No
- Route profiling and peering optimization Destination Interface,
Total_Samples and
Total_Packets to Agents
Send Packet to
Destination Interface

- Trending and capacity planning.

Extreme Networks® has added support for the sFlow


protocol to its switching product line because of the need Figure 1: sFlow Agent Embedded in Switch/Router
for increased visibility into network traffic, even at very high
speeds such as 10 Gbps.

© 2006 Extreme Networks, Inc. All rights reserved. Do not reproduce. Network sFlow — Page 
Extreme Networks White Paper

The sFlow Agent is a software process that runs as part of - Detailed—Complete packet header and switching/
the network management software within a device (see routing information permits detailed analysis of Layer
Figure 2). It combines interface counters and flow samples 2-Layer 7 traffic flows.
into sFlow datagrams that are sent across the network to an - Scalable—The sFlow system is scalable in both the
sFlow Collector. The state of the forwarding/routing table size and speed of the network it can monitor. sFlow is
entries associated with each sampled packet is also capable of monitoring networks at 10Gbps, 100Gbps
recorded. and beyond. Thousands of devices can be monitored
by a single sFlow Collector.
The sFlow Agent does very little processing. It simply
packages data into sFlow Datagrams that are immediately - Low Cost—The sFlow Agent is very simple to
sent on the network. Immediate forwarding of data implement and adds negligible cost to a switch or
minimizes memory and CPU requirements associated with router.
the sFlow Agent. - Timely—The sFlow Collector always has an up to the
minute view of traffic throughout the entire network.
Timely information is particularly important if the
traffic data is needed to provide real-time controls,
for example to manage quality of service or to defend
against a denial of service attack.

Traffic Data
Using sFlow
Using sFlow to continuously monitor traffic flows on all
Analysis ports gives network-wide visibility into the use of the
network. This visibility replaces guesswork, fundamen-
tally changing the way that network services are man-
sFlow Agents
sFlow Datagrams aged.

Troubleshooting Network Problems


Any use of a network generates traffic. Consequently,
problems are often first observable in abnormal traffic
patterns. sFlow makes these abnormal traffic patterns
visible with sufficient detail to enable rapid identification,
diagnosis, and correction.

Controlling Congestion
By monitoring traffic flows on all ports continuously,
sFlow can be used to instantly highlight congested links,
identify the source of the traffic, and the associated
Figure 2: sFlow Agents and Collector application level conversations. sFlow provides the
necessary information to determine effective controls,
for example which traffic to rate control or prioritize or
where to provision more bandwidth.

Figure 2 shows the basic elements of the sFlow system. Security and Audit Trail Analysis
sFlow Agents throughout the network continuously send Gartner estimates that 70% of security incidents that
a stream of sFlow Datagrams to a central sFlow Collector actually cause loss to enterprises involve insiders, while
where they are analyzed to produce a rich, real-time, service providers and other organizations are constantly
network-wide view of traffic flows. sFlow monitoring of bombarded with various external attacks. A comprehen-
high-speed, routed and switched networks has the sive security strategy involves protecting the network
following properties: from external and internal misuse and information assets
from theft.
- Accurate—The sFlow system is designed so that the
Since attacks and security threats will come from
accuracy of any measurement can be determined.
unknown sources, effective security monitoring requires
Other traffic flow measurement technologies clip
complete network surveillance, with alerts to suspicious
under heavy loads resulting in errors that are
activity. sFlow provides this blanket audit trail, for the
difficult to quantify.
whole network. The continuous network-wide surveillance

© 2006 Extreme Networks, Inc. All rights reserved. Do not reproduce. sFlow — Page 
Extreme Networks White Paper

and route tracing information provided by sFlow Appendix A: Configuring sFlow in


allows internal and externally sourced security ExtremeWare™ and ExtremeXOS
threats and attacks to be rapidly traced and con-
trolled. When sFlow is used to build a detailed traffic
Configuring sFlow
history a baseline of normal behavior is established,
ExtremeWare and ExtremeXOS allow the collection
from which anomalies can be detected and suspicious
of sFlow statistics on a per port basis. An agent,
activity identified.
residing in the switch, sends data to the collector,
typically a Windows or Linux server.
By giving visibility into real-time and historical
network-wide usage, sFlow can be used to prevent
Appendix A explains how you configure sFlow on
intentional attacks, minimize unintentional mistakes,
ExtremeXOS system.
and protect information assets.
To configure sFlow on a switch, you must do the
Availability following tasks:

sFlow solutions consist of: • Configure the local agent


- ExtremeXOS™ powered switches running Extre-
meXOS 11.0 or greater • Configure the addresses of the remote collectors

- A software application that receives and analyzes • Enable sFlow globally on the switch
sFlow data • Enable sFlow on the desired ports

The following platforms support hardware-based Optionally, you may also change the default values of
sampling at a programmed interval: the following items:

• How often the statistics are collected


• BlackDiamond® 10808 switch
• How frequently a sample is taken, globally or per port
• BlackDiamond 8800 e-series modules
• How many samples per second can be sent to the CPU
• BlackDiamond 8800 a-series modules
• Summit® X450e series switches
Configuring the Remote Collector Address
• Summit X450a series switches You can specify up to four remote collectors to send the
sFlow data to. Typically, you would configure the IP address
With hardware-based sampling, the data path for a of each collector. You may also specify a UDP port number
packet that traverses the switch does not require different from the default value of 6343, and/or a virtual
processing by the CPU. Fast path packets are handled router different from the default of VR-Mgmt. When you
entirely by ASICs and are forwarded at wire-speed configure a collector, the system creates a database entry
rate. for that collector that remains until the collector is uncon-
figured. All the configured collectors are displayed in the
Hardware based sampling enables more accurate show sflow {configure} command. To configure the remote
information correction by having the more samples to collector, use the following command:
be used and provides better scalability and security
under conditions such as high traffic load.
configure sflow collector {ipaddress}
<ip-address> {port <udp-port-number>}
A number of software applications take advantage of {vr <vrname>}
the sFlow network traffic monitoring capability in
these switches. These applications provide a variety
of solutions including congestion control and trouble-
shooting, route profiling, audit trail security analysis To unconfigure the remote collector and remove it from the
and accounting for billing. database, use the following command:

A full list of sFlow solutions can be found at


www.sFlow.org unconfigure sflow collector {ipaddress}
<ip-address> {port <udp-port-number>}
{vr <vrname>}

© 2006 Extreme Networks, Inc. All rights reserved. Do not reproduce. sFlow — Page 
Extreme Networks White Paper

Additional sFlow Configuration Options Displaying sFlow Information


To display the current configuration of sFlow, use the
You can configure three global options to different values
following command:
from the defaults. These options affect how frequently the
sFlow data is sent to the remote collector, how frequently
packets are sample and the maximum number of sFlow show sflow configuration
samples that could be processed in the CPU per second.
You can also configure how frequently packets are sampled
To display the sFlow statistics, use the following command:
per port.

Polling Interval show sflow statistics


Each port counter is periodically polled to gather the
statistics to send to the collector. If there is more than one
counter to be polled, the polling is distributed in such a way
that each counter is visited once during each polling
interval, and the data flows are spaced in time. For example,
assume that the polling interval is 20 seconds and there are
40 counters to poll. Two ports will be polled each second,
until all 40 are polled. To configure the polling interval, use
the following command:

configure sflow poll-interval <seconds>

Global Sampling Rate


The default sample rate is 8192, so by default sFlow
samples one packet out of every 8192 received. This can be
changed with the following command:

configure sflow sample-rate <number>

Per Port Sampling Rate


The per port sampling rate overrides the system-wide value
set in the configure sflow sample-rate command. The rate is
rounded off to the next power of two, so if 400 is specified,
the sample rate is configured as 512. The valid range is 1 to
536870912. To set the sampling rate on individual ports, use
the following command:

configure sflow sample-rate <number>

www.extremenetworks.com email: info@extremenetworks.com

Corporate Europe, Middle East, Africa Asia Pacific Japan


and North America and South America Phone +852 2517 1123 Phone +81 3 5842 4011
Extreme Networks, Inc. Phone +31 30 800 5100
3585 Monroe Street,
Santa Clara, CA 95051 USA
Phone +1 408 579 2800

© 2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.


Extreme Networks, the Extreme Networks Logo, BlackDiamond, ExtremeWare, ExtremeXOS and Summit are either registered trademarks or
trademarks of Extreme Networks, Inc. in the United States and/or other countries. sFlow is a registered trademark of sFlow.org.
Specifications are subject to change without notice.

1247_01 07/06 sFlow White Paper