Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

sFlow Monitoring Technology

Overview of sFlow Technology

The sFlow technology is a monitoring technology for high-speed switched or routed networks. sFlow monitoring technology collects samples of network packets and sends them in a UDP datagram to a monitoring station called a collector. You can configure sFlow technology on a device to monitor traffic continuously at wire speed on all interfaces simultaneously. You must enable sFlow monitoring on each interface individually; you cannot globally enable sFlow monitoring on all interfaces with a single configuration statement. Junos OS supports the sFlow technology standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks.

sFlow technology implements the following two sampling mechanisms:

  • Packet-based sampling—Samples one packet out of a specified number of packets from an interface enabled for sFlow technology. Only the first 128 bytes of each packet are sent to the collector. Data collected include the Ethernet, IP, and TCP headers, along with other application-level headers (if present). Although this type of sampling might not capture infrequent packet flows, the majority of flows are reported over time, allowing the collector to generate a reasonably accurate representation of network activity. You configure packet-based sampling when you specify a sample rate.

  • Time-based sampling—Samples interface statistics (counters) at a specified interval from an interface enabled for sFlow technology. Statistics such as Ethernet interface errors are captured. You configure time-based sampling when you specify a polling interval.

An sFlow monitoring system consists of an sFlow agent embedded in the device and up to four external collectors. On a QFX Series standalone switch, the sFlow agent performs packet sampling and gathers interface statistics, and then combines the information into UDP datagrams that are sent to the sFlow collectors. An sFlow collector can be connected to the switch through the management network or data network. The software forwarding infrastructure daemon (SFID) on the switch looks up the next-hop address for the specified collector IP address to determine whether the collector is reachable by way of the management network or data network.

Note:

On the QFX Series standalone switches, if you configure sFlow technology monitoring on multiple interfaces and a high sampling rate, we recommend that you specify a collector that is on the data network instead of the management network. Having a high volume of sFlow technology monitoring traffic on the management network might interfere with other management interface traffic.

Starting in Junos OS Release 20.4R1, you can use sFlow technology to sample IP-IP traffic at a physical port. This feature is supported for IP-IP tunnels with an IPv4 outer header that carry IPv4 or IPv6 traffic. Use sFlow monitoring technology to randomly sample network packets from IP-IP tunnels and send the samples to a destination collector for monitoring. Devices that act as a IP-IP tunnel entry point, transit device, or tunnel endpoint support sFlow sampling. Table 1 shows the fields that are reported when a packet is sampled at the ingress or egress interface of a device that acts as an IP-IP tunnel entry point, transit device, or tunnel endpoint.

Table 1: Supported Metadata

sFlow Field

Tunnel Entry Point

Transit Device

Tunnel Endpoint

Raw packet header

Includes payload only

Includes payload and tunnel header

Egress: Includes payload only

Ingress: Includes payload and tunnel header

Input interface

Incoming IFD SNMP index

Incoming IFD SNMP index

Incoming IFD SNMP index

Output interface

Outgoing IFD SNMP index

Outgoing IFD SNMP index

Outgoing IFD SNMP index

On a QFabric system, the sFlow technology architecture is distributed. The global sFlow technology configuration defined on the QFabric system Director device is distributed to Node groups that have sFlow sampling configured on their interfaces. The sFlow agent has a separate sampling entity, known as a subagent, running on each Node device. Each subagent has its own independent state and forwards its own sample information (datagrams) directly to the sFlow collectors.

On the QFabric system, an sFlow collector must be reachable through the data network. Because each Node device has all routes stored in the default routing instance, the collector IP address should be included in the default routing instance to ensure the collector’s reachability from the Node device.

Regardless of the rate of traffic or the configured sampling interval, a datagram is sent whenever its size reaches the maximum Ethernet transmission unit (MTU) of 1500 bytes, or whenever a 250-ms timer expires, whichever occurs first. The timer ensures that a collector receives regularly sampled data.

To ensure sampling accuracy and efficiency, QFX Series devices use adaptive sFlow sampling. Adaptive sampling monitors the overall incoming traffic rate on the device and provides feedback to the interfaces to dynamically adapt their sampling rate to traffic conditions. The sFlow agent reads the statistics on the interfaces every 5 seconds and identifies five interfaces with the highest number of samples. On a standalone switch, when the CPU processing limit is reached, a binary backoff algorithm is implemented to reduce the sampling load of the top five interfaces by half. The adapted sampling rate is then to those top five interfaces.

On a QFabric system, sFlow technology monitors the interfaces on each Node device as a group, and implements the binary backoff algorithm based on the traffic on that group of interfaces.

Using adaptive sampling prevents overloading of the CPU and keeps the device operating at its optimum level even when there is a change in traffic patterns on the interfaces. The reduced sampling rate is used until the device is rebooted or when a new sampling rate is configured.

The sFlow collector uses the IP address of the sFlow agent to determine the source of the sFlow data. You can configure the IP address of the sFlow agent to ensure that the agent ID for the sFlow agent remains constant. If you do not assign an IP address to the agent, an IP address will be assigned to the agent using the IP address of a configured interface.

On the QFX Series standalone switches, the following priority is used to determine which interface will be used:

  1. Management Ethernet interface me0 IP address

  2. Any Layer 3 interface if the me0 IP address is not available

If a particular interface is not configured, the IP address of the next interface in the priority list is used as the IP address for the agent. Once an IP address is assigned to the agent, the agent ID is not modified until the sFlow service is restarted. At least one interface has to be configured for an IP address to be assigned to the agent.

In addition, you can explicitly configure the IP address for the source data (sFlow datagrams). On the QFX Series standalone switches, if you do not configure that address, the following priority is used:

  • Any Layer 3 interface IP address

  • The me0 IP address if no Layer 3 interface IP address is available

On the QFabric system, the following default values are used if the optional parameters are not configured:

  • Agent ID is the management IP address of the default partition.

  • Source IP is the management IP address of the default partition.

In addition, the QFabric system subagent ID (which is included in the sFlow datagrams) is the ID of the Node group from which the datagram is sent to the collector.

Considerations

On the QFX Series, limitations of sFlow traffic sampling include:

  • sFlow sampling on ingress interfaces does not capture CPU-bound traffic.

  • sFlow sampling on egress interfaces does not support broadcast and multicast packets.

  • Egress samples do not contain modifications made to the packet in the egress pipeline.

  • If a packet is discarded because of a firewall filter, the reason code for discarding the packet is not sent to the collector.

  • The out-priority field for a VLAN is always set to 0 (zero) on ingress and egress samples.

  • You cannot configure sFlow monitoring on a link aggregation group (LAG), but you can configure it individually on a LAG member interface.

On QFX5100 standalone switches and the QFX Series Virtual Chassis (with QFX3500 and QFX3600 switches), egress firewall filters are not applied to sFlow sampling packets. On these platforms, the software architecture is different from that on other QFX Series devices, and sFlow packets are sent by the Routing Engine (not the line card on the host) and are not transiting the switch. Egress firewall filters affect data packets that are transiting a switch but do not affect packets sent by the Routing Engine. As a result, sFlow sampling packets are always sent to the sFlow collector.

On PTX1000 routers and QFX10000 Series switches, sFlow technology always works at the level of the physical interface. Enabling sFlow monitoring on one logical interface enables it on all logical interfaces belonging to that physical interface.

Overview of sFlow Technology on ACX Series Routers

An sFlow monitoring system consists of an sFlow agent embedded in the device and a central data collector, or sFlow analyzer. The sFlow agent performs packet sampling and gathers interface statistics, and then combines the information into UDP datagrams that are sent to the sFlow collectors for analysis. The sFlow agent is responsible for monitoring the network port, sample all incoming packets including control traffic and traffic arriving on all the ports in the system. The collector can be connected to one of the data ports or the management interface.

Note:

sFlow technology is supported only on the ACX5000 line of routers, other ACX Series routers do not support this technology.

The following sFlow features are supported on the ACX5000 line of routers:

  • Packet-based sampling—Samples one packet out of a specified number of packets from an interface enabled for sFlow technology. Only the first 128 bytes of each packet are sent to the collector. Data collected include the Ethernet, IP, and TCP headers, along with other application-level headers (if present). Although this type of sampling might not capture infrequent packet flows, the majority of flows are reported over time, allowing the collector to generate a reasonably accurate representation of network activity. You configure packet-based sampling when you specify a sample rate.

  • Time-based sampling—Samples interface statistics (counters) at a specified interval from an interface enabled for sFlow technology. Statistics such as Ethernet interface errors are captured. You configure time-based sampling when you specify a polling interval.

  • Adaptive sampling—Monitors the overall incoming traffic rate on the device and provides feedback to the interfaces to dynamically adapt their sampling rate to traffic conditions.

Note:

If you configure sFlow technology monitoring on multiple interfaces and a high sampling rate, we recommend that you specify a collector that is on the data network instead of the management network. Having a high volume of sFlow technology monitoring traffic on the management network might interfere with other management interface traffic.

The sFlow collector uses the IP address of the sFlow agent to determine the source of the sFlow data. You can configure the IP address of the sFlow agent to ensure that the agent ID for the sFlow agent remains constant. If you do not assign an IP address to the agent, an IP address will be assigned to the agent using the IP address of a configured interface.

If a particular interface is not configured, the IP address of the next interface in the priority list is used as the IP address for the agent. Once an IP address is assigned to the agent, the agent ID is not modified until the sFlow service is restarted. At least one interface has to be configured for an IP address to be assigned to the agent.

The following sFlow technology limitations apply on ACX5000 line of routers:

  • The ingress and egress sampling can be configured only on one of the units under a physical interface and the sFlow is enabled for the physical interface (port). The sFlow cannot be enabled if the unit under a physical interface is not configured.

  • Egress sampling for Broadcast, Unknown unicast and Multicast (BUM) traffic is not supported because the source-interface field in the SFlow datagrams cannot be populated.

  • Destination VLAN and Destination Priority fields are not populated in the case of Layer 3 forwarding.

  • SFlow sampling is not supported on the output interface of an analyzer.

  • SNMP MIB support for SFlow is not available.

  • SFlow cannot be enabled on LAG interfaces, however, it can be enabled on LAG member interfaces individually.

  • SFlow cannot be enabled on IRB interfaces.

  • SFlow cannot be enabled on logical tunnel (lt-) and LSI interfaces.

Understanding How to Use sFlow Technology for Network Monitoring

The sFlow technology is a monitoring technology for high-speed switched or routed networks. sFlow randomly samples network packets and sends the samples to a monitoring station called a collector.

This topic describes:

Benefits of sFlow Technology

  • sFlow can be used by software tools like a network analyzer to continuously monitor tens of thousands of switch or router ports simultaneously.

  • Because sFlow uses network sampling (forwarding one packet from n number of total packets) for analysis, it is not resource intensive (for example processing, memory and more). The sampling is done at the hardware application-specific integrated circuits (ASICs) and, hence, it is simple and more accurate.

Sampling Mechanism and Architecture of sFlow Technology

sFlow technology uses the following two sampling mechanisms:

  • Packet-based sampling—Samples one packet out of a specified number of packets from an interface enabled for sFlow technology. Only the first 128 bytes of each packet are sent to the collector. Data collected include the Ethernet, IP, and TCP headers, along with other application-level headers (if present). Although this type of sampling might not capture infrequent packet flows, the majority of flows are reported over time, allowing the collector to generate a reasonably accurate representation of network activity. To configure packet-based sampling, you must specify a sample rate.

  • Time-based sampling—Samples interface statistics at a specified interval from an interface enabled for sFlow technology. Statistics such as Ethernet interface errors are captured. To configure time-based sampling, you must specify a polling interval.

The sampling information is used to create a network traffic visibility picture. The Juniper Networks Junos operating system (Junos OS) fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks (see http://faqs.org/rfcs/rfc3176.html).

Note:

On switches, sFlow technology samples only raw packet headers, that is, the complete Layer 2 network frame.

An sFlow monitoring system consists of an sFlow agent embedded in the router or switch and a centralized collector. The sFlow agent’s two main activities are random sampling and statistics gathering. It combines interface counters and flow samples and sends them across the network to the sFlow collector as UDP datagrams, directing those datagrams to the IP address and UDP destination port of the collector. Each datagram contains the following information:

  • The IP address of the sFlow agent

  • The number of samples

  • The interface through which the packets entered the agent

  • The interface through which the packets exited the agent

  • The source and destination interface for the packets

  • The source and destination VLAN for the packets

CAUTION:

In case of dual VLANs, all fields may not be reported.

Routers and switches can adopt the distributed sFlow architecture. The sFlow agent has subagents. Each subagent is responsible for monitoring a set of network ports and has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample messages to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed across subagents, the protocol overhead associated with sFlow technology is significantly reduced at the collector.

Note:

On the QFabric system, an sFlow collector must be reachable through the network. Because each Node device has all routes stored in the default routing instance, the collector IP address should be included in the default routing instance to ensure the collector’s reachability from the Node device.

Note:

You cannot configure sFlow monitoring on a link aggregation group (LAG), but you can configure it individually on a LAG member interface.

Infrequent sampling flows might not be reported in the sFlow information, but over time the majority of flows are reported. Based on a configured sampling rate N, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a 100 percent accurate result in the analysis, but it does provide a result with quantifiable accuracy. A user-configured polling interval defines how often sFlow data for a specific interface are sent to the collector, but an sFlow agent can also schedule polling.

Note:

For the EX9200 switch and MX Series routers, we recommend that you configure the same sample rate for all the ports in a line card. If you configure different sample rates, the lowest value is used for all ports on the line card.

Note:

If the primary-role assignment changes in a Virtual Chassis setup, sFlow technology continues to function.

Adaptive Sampling

Adaptive sampling is the process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt the sampling rates on interfaces on the basis of traffic conditions. Adaptive sampling prevents the CPU from overloading and maintains the system at an optimum level, even when traffic patterns change on the interfaces. Whereas the sample rate is the configured number of egress or ingress packets out of which one packet is sampled, the adaptive sample rate is the maximum number of samples that should be generated per line card, that is, it’s the limit given to adaptive sampling. Sample load is the amount of data (or number of packets) moving across a network at a given point of time that is sampled. As you increase the sample rate, you decrease the sample load and vice versa. For example, suppose the configured sample rate is 2 (meaning 1 packet out of 2 packets is sampled), and then that rate is doubled, making it 4, or only 1 packet out of 4 packets is sampled.

You configure the adaptive sample rate, which is the maximum number of samples that should be generated per line card, at the [edit protocols sflow adaptive-sample-rate hierarchy level.

How Adaptive Sampling Works

Every few seconds, or cycle, the sFlow agent collects the interface statistics. From these aggregated statistics, an average number of samples per second is calculated for the cycle. The cycle length depends on the platform:

  • Every 12 seconds for EX Series and QFX5K switches and MX Series and PTX Series routers

  • Every 5 seconds for QFX Series switches other than QFX5K

If the combined sample rate of all the interfaces on an line card exceeds the adaptive sample rate, a binary backoff algorithm is initiated, which reduces the sample load on the interfaces. Adaptive sampling doubles the sample rate on the affected interfaces, which reduces the sampling load by half. This process is repeated until the CPU load due to sFlow on a given line card comes down to an acceptable level.

Which interfaces on an line card participate in adaptive sampling depends on the platform:

  • For MX Series routers and EX Series switches, the sample rates on all the interfaces on the line card are adapted.

  • For PTX Series routers and QFX Series switches, only the five interfaces with the highest sample rates on the line card are adapted.

Note:

On a QFabric system, sFlow technology monitors the interfaces on each node device as a group, and implements the binary backoff algorithm based on the traffic on that group of interfaces.

For all platforms, the increased sampling rates remain in effect until one of the following conditions is achieved:

  • The device is rebooted.

  • A new sample rate is configured.

If you have enabled the adaptive sampling fallback feature and, because of a traffic spike, the number of samples increases to the configured sample-limit-threshold, then the adaptive sampling rate is reversed. See Adaptive Sampling Fallback.

Adaptive Sampling Fallback

The adaptive sampling fallback feature, when configured and after adaptive sampling has taken place, uses a binary backup algorithm to decrease the sampling rate (thus, increasing the sampling load) when the number of samples generated is less than the configured sample-limit-threshold value, without affecting normal traffic.

Starting in Junos OS Release 18.3R1, for EX Series switches, Junos OS supports the adaptive sampling fallback feature. Starting in Junos OS Release 19.1R1, for MX Series, PTX Series, and QFX Series devices, Junos OS supports the adaptive sampling fallback feature.

Adaptive sampling fallback is disabled by default. To enable this feature, include the fallback and adaptive-sample-rate sample-limit-threshold options in the [edit protocols sflow adaptive-sample-rate] hierarchy level.

After adaptive sampling has taken place and the line card is underperforming—that is, the number of samples generated in a cycle are less than the configured value for the sample-limit-threshold statement—for five continuous cycles of adaptive sampling, the adapted rate is reversed. If the reverse adaptation has happened and the number of samples generated in a cycle is less than half of the current adapted rate again (and, therefore, for five continuous cycles), another reverse adaptation can happen.

Reverse adaptation does not occur if the interfaces are already at the configured rate.

Adaptive Sampling Limitations

The following are limitations of the adaptive sample feature:

  • On standalone routers or standalone QFX Series switches, if you configure sFlow on multiple interfaces and with a high sampling rate, we recommend that you specify a collector that is on the data network instead of on the management network. Having a high volume of sFlow traffic on the management network might interfere with other management interface traffic.

  • On routers, sFlow does not support graceful restart. When a graceful restart occurs, the adaptive sampling rate is set to the user-configured sampling rate.

  • On a rate-selectable line card (which supports multiple speeds), interfaces with the highest sample count are selected for adaptive sampling fallback. The backup algorithm selects those interfaces on which the adaptive sampling rate is increased the maximum number of times and then decreases the sampling rate on each of those interfaces every five seconds. However, on a single-rate line card, only one sample rate is supported per line card, and the adaptive sampling fallback mechanism backs up the sampling rate on all the interfaces of the line card.

sFlow Agent Address Assignment

The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. You can configure the IP address of the sFlow agent to ensure that the agent ID of the sFlow agent remains constant. If you do not specify the IP address to be assigned to the agent, an IP address is automatically assigned to the agent based on the following order of priority of interfaces configured on the device:

Routers and EX Series Switches

QFX Series Devices

  1. Virtual Management Ethernet (VME) interface

  2. Management Ethernet interface

  1. Management Ethernet interface me0 IP address

  2. Any Layer 3 interface if the me0 IP address is not available

If a particular interface is not configured, the IP address of the next interface in the priority list is used as the IP address for the agent. Once an IP address is assigned to the agent, the agent ID is not modified until the sFlow service is restarted. At least one interface has to be configured for an IP address to be assigned to the agent. When the agent’s IP address is assigned automatically, the IP address is dynamic and changes when the device reboots.

On the QFabric system, the following default values are used if the optional parameters are not configured:

  • Agent ID is the management IP address of the default partition.

  • Source IP is the management IP address of the default partition.

In addition, the QFabric system subagent ID (which is included in the sFlow datagrams) is the ID of the node group from which the datagram is sent to the collector.

sFlow data can be used to provide network traffic visibility information. You can explicitly configure the source IP address to be assigned to the sFlow datagrams. If you do not explicitly configure the IP address, the IP address of any of the configured Layer 3 network interfaces is used as the source IP address. If a Layer 3 IP address is not configured, then the agent IP address is used as the source IP address.

sFlow Limitations on Routers

On routers, limitations of sFlow traffic sampling include the following:

  • Trio chipset cannot support different sampling rate for each family. Hence, only one sampling rate can be supported per line card.

  • Adaptive load balancing is applied per line card and not for per interface under the line card.

Routers support configuration of only one sampling rate (inclusive of ingress and egress rates) on an line card. To support compatibility with the sflow configuration of other Juniper Networks products, the routers still accept multiple rate configuration on different interfaces of the same line card. However, the router programs the lowest rate as the sampling rate for all the interfaces of that line card. The (show sflow interfaces) command displays the configured rate and the actual (effective) rate. However, different rates on different line cards is still supported on Juniper Networks routers.

sFlow Limitations on Switches

On the QFX Series, limitations of sFlow traffic sampling include the following:

  • sFlow sampling on ingress interfaces does not capture CPU-bound traffic.

  • sFlow sampling on egress interfaces does not support broadcast and multicast packets.

  • Egress samples do not contain modifications made to the packet in the egress pipeline.

  • If a packet is discarded because of a firewall filter, the reason code for discarding the packet is not sent to the collector.

  • On EX9200 switches and QFX Series switches except the QFX10K switches, true OIF (outgoing interface) is not supported with sFlow.

  • The out-priority field for a VLAN is always set to 0 (zero) on ingress and egress samples.

  • On QFX5100 standalone switches and the QFX Series Virtual Chassis (including mixed QFX Series Virtual Chassis), egress firewall filters are not applied to sFlow sampling packets. On these platforms, the software architecture is different from that on other QFX Series devices—sFlow packets are sent by the Routing Engine (not the line card on the host) and do not transit the switch. Egress firewall filters affect data packets that are transiting a switch, but do not affect packets sent by the Routing Engine. As a result, sFlow sampling packets are always sent to the sFlow collector.

EX9200 switches support configuration of only one sampling rate (inclusive of ingress and egress rates) on an FPC (or line card). To support compatibility with the sflow configuration of other Juniper Networks products, EX9200 switches still accept multiple rate configuration on different interfaces of the same FPC. However, the switch programs the lowest rate as the sampling rate for all the interfaces of that FPC. The (show sflow interfaces) command displays the configured rate and the actual (effective) rate. However, different rates on different FPCs is still supported on EX9200 switches.

Understanding How to Use sFlow Technology for Network Monitoring on an EX Series Switch

The sFlow technology is a monitoring technology for high-speed switched or routed networks. sFlow monitoring technology randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow technology on a Juniper Networks EX Series Ethernet Switch to continuously monitor traffic at wire speed on all interfaces simultaneously.

This topic describes:

Sampling Mechanism and Architecture of sFlow Technology on EX Series Switches

sFlow technology uses the following two sampling mechanisms:

  • Packet-based sampling: Samples one packet out of a specified number of packets from an interface enabled for sFlow technology.

  • Time-based sampling: Samples interface statistics at a specified interval from an interface enabled for sFlow technology.

The sampling information is used to create a network traffic visibility picture. The Juniper Networks Junos operating system (Junos OS) fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks.

Note:

sFlow technology on the switches samples only raw packet headers. A raw Ethernet packet is the complete Layer 2 network frame.

An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent’s two main activities are random sampling and statistics gathering. The sFlow agent combines interface counters and flow samples and sends them across the network to the sFlow collector in UDP datagrams, directing those datagrams to the IP address and UDP destination port of the collector. Each datagram contains the following information:

  • The IP address of the sFlow agent

  • The number of samples

  • The interface through which the packets entered the agent

  • The interface through which the packets exited the agent

  • The source and destination interface for the packets

  • The source and destination VLAN for the packets

EX Series switches adopt the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each Packet Forwarding Engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample packets to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed across subagents, the protocol overhead associated with sFlow technology is significantly reduced at the collector.

Note:

You cannot configure sFlow monitoring on a link aggregation group (LAG), but you can configure it individually on a LAG member interface.

Note:

If the primary-role assignment changes in a Virtual Chassis setup, sFlow technology continues to function.

Adaptive Sampling

The switches use adaptive sampling to ensure both sampling accuracy and efficiency. Adaptive sampling is a process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt the sampling rates on interfaces on the basis of traffic conditions. Interfaces on which incoming traffic exceeds the system threshold are checked so that all violations can be regulated without affecting the traffic on other interfaces. Every 12 seconds, the agent checks interfaces to get the number of samples, and interfaces are grouped on the basis of the slot that they belong to. The top five interfaces that produce the highest number of samples are selected. Using the binary backoff algorithm, the sampling load on these interfaces is reduced by half and allotted to interfaces that have a lower sampling rate. Therefore, when the processor’s sampling limit is reached, the sampling rate is adapted such that it does not load the processor any further. If the switch is rebooted, the adaptive sampling rate is reset to the user-configured sampling rate. Also, if you modify the sampling rate, the adaptive sampling rate changes.

The advantage of adaptive sampling is that the switch continues to operate at its optimum level even when there is a change in the traffic patterns in the interfaces. You do not need to make any changes. Because the sampling rate adapts dynamically to changing network conditions, the resources are utilized optimally resulting in a high-performance network.

Infrequent sampling flows might not be reported in the sFlow information, but over time, the majority of flows are reported. On the basis of the configured sampling rate N, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a result that is 100 percent accurate in the analysis, but it does provide a result of quantifiable accuracy. A user-configured polling interval defines how often the sFlow data for a specific interface are sent to the collector, but an sFlow agent can also schedule polling.

Note:

sFlow technology on EX Series switches does not support graceful restart. When a graceful restart occurs, the adaptive sampling rate is set to the user-configured sampling rate.

sFlow Agent Address Assignment

The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. You can configure the IP address of the sFlow agent to ensure that the agent ID of the sFlow agent remains constant. If you do not configure the IP address of the sFlow agent, an IP address is automatically assigned to the agent. This is the IP address of one of the following interfaces configured on the switch taken in the given order of priority:

1. Virtual management Ethernet (VME) interface

2. Management Ethernet interface

If neither of the preceding interfaces has been configured, the IP address of any Layer 3 interface or the routed VLAN interface (RVI) is assigned to the agent. At least one interface must be configured on the switch for an IP address to be automatically assigned to the agent. When the agent’s IP address is assigned automatically, the IP address is dynamic and changes when the switch reboots.

sFlow data can be used to provide network traffic visibility information. You can explicitly configure the IP address to be assigned to source data (sFlow datagrams). If you do not explicitly configure that address, the IP address of the configured Gigabit Ethernet interface, 10-Gigabit Ethernet interface, or the RVI is used as the source IP address.

Example: Configuring sFlow Technology to Monitor Network Traffic on EX Series Switches

This example describes how to configure and use sFlow technology to monitor network traffic.

Requirements

This example uses the following hardware and software components:

  • One EX Series switch

  • Junos OS Release 9.3 or later for EX Series switches

Overview and Topology

sFlow technology samples network packets and sends the samples to a monitoring station. You can specify sampling rates for ingress and egress packets. The information gathered is used to create a network traffic visibility picture.

Topology

An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent runs on the switch. It combines interface counters and flow samples and sends them across the network to the sFlow collector. Figure 1 depicts the basic elements of the sFlow system.

Figure 1: sFlow Technology Monitoring SystemsFlow Technology Monitoring System

Configuration

To configure sFlow technology, perform the following tasks:

CLI Quick Configuration

To quickly configure sFlow technology, copy the following commands and paste them into the switch terminal window:

Procedure

Step-by-Step Procedure

To configure sFlow technology:

  1. Configure the IP address and UDP port of the collector:

    Note:

    You can configure a maximum of 4 collectors.

    The default UDP port is 6343.

  2. Enable sFlow technology on a specific interface:

    Note:

    You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.

    You cannot enable sFlow technology on a link aggregation group (LAG) interface, but you can enable it on the member interfaces of a LAG.

  3. Specify in seconds how often the sFlow agent polls the interface:

    Note:

    The polling interval can be specified as a global parameter also. Specify 0 if you do not want to poll the interface.

  4. Specify the rate at which egress packets must be sampled:

    Note:

    You can specify both egress and ingress sampling rates. If you set only the egress sampling rate, the ingress sampling rate will be disabled.

    Note:

    We recommend that you configure the same sampling rates on all the ports on a line card. If you configure different sampling rates are different, the lowest value is used for all ports. You could still configure different rates on different line cards.

Results

Check the results of the configuration:

Verification

To confirm that the configuration is correct, perform these tasks:

Verifying That sFlow Technology Is Configured Properly

Purpose

Verify that sFlow technology is configured properly.

Action

Use the show sflow command:

Note:

The sampling limit cannot be configured and is set to 300 packets/second per FPC.

Meaning

The output shows that sFlow technology is enabled and specifies the values for the sampling limit, polling interval, and the egress sampling rate.

Verifying That sFlow Technology Is Enabled on the Specified Interface

Purpose

Verify that sFlow technology is enabled on the specified interfaces and display the sampling parameters.

Action

Use the show sflow interface command:

Meaning

The output indicates that sFlow technology is enabled on the ge-0/0/0.0 interface with an egress sampling rate of 1000, a disabled ingress sampling rate, and a polling interval of 20 seconds.

Verifying the sFlow Collector Configuration

Purpose

Verify the sFlow collector's configuration.

Action

Use the show sflow collector command:

Meaning

The output displays the IP address of the collectors and the UDP ports. It also displays the number of samples.

Example: Configuring sFlow Technology to Monitor Network Traffic on MX Series Routers

sFlow technology is a networking monitoring technology for high-speed switched or routed networks. It is a technology that is based on statistical sampling. You can configure sFlow technology to continuously monitor traffic at wire speed on all interfaces simultaneously. sFlow data can be used to provide network traffic visibility information. You can specify sampling rates for ingress and egress packets. Junos OS fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks.

This example describes how to configure and use sFlow technology to monitor network traffic.

Requirements

This example uses the following hardware and software components:

  • One MX Series router

  • Junos OS Release 18.1 or later for MX Series routers

Overview and Topology

sFlow technology samples network packets and sends the samples to a monitoring station. You can specify sampling rates for ingress and egress packets. The information gathered is used to create a network traffic visibility picture.

Topology

An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent runs on the switch. It combines interface counters and flow samples and sends them across the network to the sFlow collector. Figure 2 depicts the basic elements of the sFlow system.

Figure 2: sFlow Technology Monitoring SystemsFlow Technology Monitoring System

Configuration

To configure sFlow technology, perform the following tasks:

CLI Quick Configuration

To quickly configure sFlow technology, copy the following commands and paste them into the router terminal window:

Procedure

Step-by-Step Procedure

To configure sFlow technology:

  1. Configure the IP address and UDP port of the collector:

    Note:

    You can configure a maximum of 4 collectors.

    The default UDP port is 6343.

  2. Enable sFlow technology on a specific interface:

    Note:

    You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.

    You cannot enable sFlow technology on a link aggregation group (LAG) interface, but you can enable it on the member interfaces of a LAG.

  3. Specify in seconds how often the sFlow agent polls the interface:

    Note:

    The polling interval can be specified as a global parameter also. Specify 0 if you do not want to poll the interface.

  4. Specify the global rate at which egress packets must be sampled:

    Note:

    You can specify both egress and ingress sampling rates. If you set only the egress sampling rate, the ingress sampling rate will be disabled.

  5. Specify the interface level poling rate and sampling rate:

    Note:

    When you configure at both interface level and global level, former takes the precedence.

    Note:

    We recommend that you configure the same sampling rates on all the ports on a line card. If you configure different sampling rates are different, the lowest value is used for all ports. You could still configure different rates on different line cards.

Results

Check the results of the configuration:

Verification

To confirm that the configuration is correct, perform these tasks:

Verifying That sFlow Technology Is Configured Properly

Purpose

Verify that sFlow technology is configured properly.

Action

Use the show sflow command:

Note:

The sampling limit cannot be configured and is set to 300 packets/second per FPC.

Meaning

The output shows that sFlow technology is enabled and specifies the values for the sampling limit, polling interval, and the egress sampling rate.

Verifying That sFlow Technology Is Enabled on the Specified Interface

Purpose

Verify that sFlow technology is enabled on the specified interfaces and display the sampling parameters.

Action

Use the show sflow interface command:

Meaning

The output indicates that sFlow technology is enabled on the ge-0/0/0.0 interface with an egress sampling rate of 1000, a disabled ingress sampling rate, and a polling interval of 20 seconds. Similarly, sFlow is also enabled on the ge-0/0/1.0 interface with an egress sampling rate of 1000, an ingress sampling rate of 1000, and a polling interval of 10 seconds

Verifying the sFlow Collector Configuration

Purpose

Verify the sFlow collector's configuration.

Action

Use the show sflow collector command:

Meaning

The output displays the IP address of the collectors and the UDP ports. It also displays the number of samples.

Configuring sFlow Technology for Network Monitoring (CLI Procedure)

sFlow technology is a network monitoring technology for high-speed switched or routed networks. It is a technology that is based on statistical sampling. You can configure sFlow technology to continuously monitor traffic at wire speed on all interfaces simultaneously. Junos OS fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks.

On the QFabric system, the sFlow monitoring global configuration that is defined on the Director device is distributed to Node groups that have sFlow sampling configured on the interfaces.

To configure sFlow features:

  1. Configure the IP address and the UDP port of the collector:

    The default UDP port is 6343,

  2. Enable sFlow technology on a specific interface.

    You must enable sFlow monitoring on each interface individually; you cannot globally enable sFlow monitoring on all interfaces with a single configuration statement.

    Be aware of the following caveats about sFlow on interfaces:

    • With the exception of the QFX10000 Series switches, you cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.

    • You cannot enable sFlow technology on a link aggregation group (LAG), but you can enable it on the member interfaces of a LAG.

    • sFlow technology is not supported on a VXLAN interface.

  3. Specify in seconds how often the sFlow agent polls interfaces:
    Note:

    Specify 0 if you do not want to poll the interface.

  4. Specify the rate at which packets must be sampled. You can specify either an egress or an ingress sampling rate, or both.
    Note:

    We recommend that you configure the same sampling rates on all the ports on a line card. If you configure different sampling rates on different ports, the lowest value is used for all ports. You could still configure different rates on different line cards.

    To specify an egress sampling rate:

    To specify an ingress sampling rate:

  5. (Optional) You can also configure the polling interval and the egress and ingress sampling rates at the interfaces level:
    Note:

    The interfaces-level configuration overrides the global configuration for the specified interface.

  6. Specify an IP address to be used as the agent ID for the sFlow agent:
  7. Specify the source IP address to be used for sFlow datagrams:
  8. (Optional) Set the disable-sw-rate-limiter configuration statement so that the sampling rate stays within the maximum hardware sampling rate.

    Packet-based sampling in sFlow is implemented in the hardware. If traffic levels are unusually high, the hardware generates more samples than it can handle, and the extra samples are dropped, producing inaccurate results. Enabling the disable-sw-rate-limiter statement disables the software rate-limiting algorithm and allows the hardware sampling rate to stay within the maximum sampling rate.

Example: Monitoring Network Traffic Using sFlow Technology

This example describes how to configure and use sFlow monitoring on a QFX3500 switch in standalone mode.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 11.3 or later

  • One QFX3500 switch

Overview

An sFlow monitoring system consists of an sFlow agent embedded in the device and a centralized collector on the network. The two main activities of the sFlow agent are random sampling and statistics gathering. The sFlow agent combines interface counters and flow samples and sends them to the IP address and UDP destination port of the sFlow collector in UDP datagrams.

Topology

Figure 3 depicts the basic elements of an sFlow system.

Figure 3: sFlow Technology Monitoring SystemsFlow Technology Monitoring System

Configuration

Procedure

CLI Quick Configuration

To quickly configure sFlow technology, copy the following commands and paste them into the terminal window of the switch:

Step-by-Step Procedure

To configure sFlow features using the CLI:

  1. Configure the IP address and UDP port of at least one collector:

    The default UDP port assigned is 6343.

  2. Enable sFlow technology on a specific interface:

    Note:

    You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.

    You cannot enable sFlow technology on a LAG interface (for example, ae0), but you can enable sFlow technology on the member interfaces of the LAG (for example, xe-0/0/1).

  3. Specify how often (in seconds) the sFlow agent polls all interfaces at the global level:

    Note:

    Specify 0 if you do not want to poll the interface.

  4. Specify the rate at which packets must be sampled at the global level. The following example sets a sample rate of 1 in 1000 packets:

Results

Check the results of the configuration:

Verification

To confirm that the configuration is correct, perform these tasks:

Verifying That sFlow Technology Has Been Configured Properly

Purpose

Verify that sFlow technology has been configured properly.

Action

Enter the show sflow operational mode command:

Note:

The sample limit cannot be configured and is set to 300 packets per second.

Meaning

The output shows that sFlow technology is enabled and specifies the values for the sampling limit, polling interval, and sampling rate.

Verifying That sFlow Technology Is Enabled on an Interface

Purpose

Verify that sFlow technology is enabled on interfaces and display the sampling parameters.

Action

Enter the show sflow interface operational mode command:

Meaning

The output indicates that sFlow technology is enabled on the Node1:xe-0/0/1.0 interface on the Node device with a sampling rate of 1000 and a polling interval of 20 seconds.

Verifying the sFlow Collector Configuration

Purpose

Verify the sFlow collector configuration.

Action

Enter the show sflow collector operational mode command:

Meaning

The output displays the IP address of the collector, the UDP port, and the number of samples collected.

Release History Table
Release
Description
20.4R1
Starting in Junos OS Release 20.4R1, you can use sFlow technology to sample IP-IP traffic at a physical port. This feature is supported for IP-IP tunnels with an IPv4 outer header that carry IPv4 or IPv6 traffic. Use sFlow monitoring technology to randomly sample network packets from IP-IP tunnels and send the samples to a destination collector for monitoring. Devices that act as a IP-IP tunnel entry point, transit device, or tunnel endpoint support sFlow sampling.
19.1R1
Starting in Junos OS Release 19.1R1, for MX Series, PTX Series, and QFX Series devices, Junos OS supports the adaptive sampling fallback feature.
18.3R1
Starting in Junos OS Release 18.3R1, for EX Series switches, Junos OS supports the adaptive sampling fallback feature.