sFlow Monitoring Technology
Overview of sFlow Technology
The sFlow technology is a monitoring technology for high-speed switched or routed networks. sFlow monitoring technology collects samples of network packets and sends them in a UDP datagram to a monitoring station called a collector. You can configure sFlow technology on a device to monitor traffic continuously at wire speed on all interfaces simultaneously. You must enable sFlow monitoring on each interface individually; you cannot globally enable sFlow monitoring on all interfaces with a single configuration statement. Junos OS supports the sFlow technology standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks (see http://faqs.org/rfcs/rfc3176.html).
sFlow technology implements the following two sampling mechanisms:
-
Packet-based sampling—Samples one packet out of a specified number of packets from an interface enabled for sFlow technology. Only the first 128 bytes of each packet are sent to the collector. Data collected include the Ethernet, IP, and transport layer headers, along with other application-level headers (if present). Although this type of sampling might not capture infrequent packet flows, the majority of flows are reported over time, allowing the collector to generate a reasonably accurate representation of network activity. You configure packet-based sampling when you specify a sample rate.
-
Time-based sampling—Samples interface statistics (counters) at a specified interval from an interface enabled for sFlow technology. Statistics such as Ethernet interface errors are captured. You configure time-based sampling when you specify a polling interval.
- Benefits of sFlow Technology
- sFlow Support on Switches
- QFX Series
- sFlow Support on Routers
- sFlow Limitations on Routers
- sFlow Limitations on Switches
- Adaptive Sampling on Routers and Switches
- sFlow Agent Address Assignment
Benefits of sFlow Technology
-
sFlow can be used by software tools like a network analyzer to continuously monitor tens of thousands of switch or router ports simultaneously.
-
Because sFlow uses network sampling (forwarding one packet from n number of total packets) for analysis, it is not resource intensive (for example processing, memory and more). The sampling is done at the hardware application-specific integrated circuits (ASICs) and, hence, it is simple and more accurate.
sFlow Support on Switches
EX Series
EX Series switches adopt the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each Packet Forwarding Engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample packets to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed across subagents, the protocol overhead associated with sFlow technology is significantly reduced at the collector.
For the EX9200 switch and MX Series routers, we recommend that you configure the same sample rate for all the ports in a line card. If you configure different sample rates, the lowest value is used for all ports on the line card.
In case of dual VLANs, all fields may not be reported.
If the primary-role assignment changes in a Virtual Chassis setup, sFlow technology continues to function.
QFX Series
sFlow technology on the switches samples only raw packet headers. A raw Ethernet packet is the complete Layer 2 network frame.
An sFlow monitoring system consists of an sFlow agent embedded in the device (switch) and up to four external collectors. The sFlow agent's two main activities are random sampling and statistics gathering. The sFlow agent performs packet sampling and gathers interface statistics, and then combines the information into UDP datagrams that are sent to the sFlow collectors. An sFlow collector can be connected to the switch through the management network or data network. The software forwarding infrastructure daemon (SFID) on the switch looks up the next-hop address for the specified collector IP address to determine whether the collector is reachable by way of the management network or data network.
Each datagram contains the following information:
-
The IP address of the sFlow agent
-
The number of samples
-
The interface through which the packets entered the agent
-
The interface through which the packets exited the agent
-
The source and destination interface for the packets
-
The source and destination VLAN for the packets
You can view the Extended router data and Extended switch data headers on collector as part of sFlow records.
The Extended switch data contains information of Flow data length (byte), Incoming 802.1Q VLAN, Incoming 802.1p priority, Outgoing 802.1Q VLAN, and Outgoing 802.1p priority fields
The Extended router data contains information of Flow data length (byte), Next hop, Next hop source mask, and Next hop destination mask fields.
sFlow IP-over-IP
Starting in Junos OS Release 20.4R1, you can use sFlow technology to sample IP-over-IP traffic at a physical port on QFX5100 and QFX5200 devices. This feature is supported for IP-over-IP tunnels with an IPv4 outer header that carry IPv4 or IPv6 traffic. Use sFlow monitoring technology to randomly sample network packets from IP-over-IP tunnels and send the samples to a destination collector for monitoring. Devices that act as a IP-over-IP tunnel entry point, transit device, or tunnel endpoint support sFlow sampling. Table 1 shows the fields that are reported when a packet is sampled at the ingress or egress interface of a device that acts as an IP-over-IP tunnel entry point, transit device, or tunnel endpoint.|
sFlow Field |
Tunnel Entry Point |
Transit Device |
Tunnel Endpoint |
|---|---|---|---|
|
Raw packet header |
Includes payload only |
Includes payload and tunnel header |
Egress: Includes payload only Ingress: Includes payload and tunnel header |
|
Input interface |
Incoming IFD SNMP index |
Incoming IFD SNMP index |
Incoming IFD SNMP index |
|
Output interface |
Outgoing IFD SNMP index |
Outgoing IFD SNMP index |
Outgoing IFD SNMP index |
QFabric
On a QFabric system, sFlow technology monitors the interfaces on each Node device as a group, and implements the binary backoff algorithm based on the traffic on that group of interfaces.
On the QFabric system, the following default values are used if the optional parameters are not configured:
-
Agent ID is the management IP address of the default partition.
-
Source IP is the management IP address of the default partition.
In addition, the QFabric system subagent ID (which is included in the sFlow datagrams) is the ID of the Node group from which the datagram is sent to the collector.
On a QFabric system, the sFlow technology architecture is distributed. The global sFlow technology configuration defined on the QFabric system Director device is distributed to Node groups that have sFlow sampling configured on their interfaces. The sFlow agent has a separate sampling entity, known as a subagent, running on each Node device. Each subagent has its own independent state and forwards its own sample information (datagrams) directly to the sFlow collectors.
On the QFabric system, an sFlow collector must be reachable through the data network. Because each Node device has all routes stored in the default routing instance, the collector IP address should be included in the default routing instance to ensure the collector’s reachability from the Node device.
Regardless of the rate of traffic or the configured sampling interval, a datagram is sent whenever its size reaches the maximum Ethernet transmission unit (MTU) of 1500 bytes, or whenever a 250-ms timer expires, whichever occurs first. The timer ensures that a collector receives regularly sampled data.
Packet-based
sampling in sFlow is implemented in the hardware. If traffic levels are unusually
high, the hardware generates more samples than it can handle, and the extra samples
are dropped, producing inaccurate results. Enabling the
disable-sw-rate-limiter statement disables the software
rate-limiting algorithm and allows the hardware sampling rate to stay within the
maximum sampling rate.
EVPN-VXLAN
On QFX10000 Series switches you can use sFlow technology to sample known
multicast traffic carried over EVPN-VXLAN. Sampling of known multicast traffic
is supported for traffic that enters the switch over EVPN-VXLAN or in other
words core facing interface and egresses the switch out of customer-facing
ports. Also, known multicast traffic sampling is supported only in the egress
direction. To enable egress sFlow sampling of known multicast traffic on a
customer facing port, you need to enable sFlow on the interface in the egress
direction as it is done for the standard unicast traffic sampling scenario. In
addition, you need to include the egress-multicast enable
option at the [edit forwarding options sflow] hierarchy
level. The maximum replication rate for multicast traffic samples can be
configured using the eggress-multicast max-replication-rate
rate option at the [edit forwarding options sflow
eggress-multicast] hierarchy
level.
When a set of sFlow egress sampling enabled interfaces are subscribed to a given multicast group and egress sFlow multicast sampling option is enabled, all the interfaces will be sampled at the same rate. The minimum of the configured sFlow rate, or in other words, the most aggressive sampling rate among this set of interfaces is used for sampling across all the interfaces in the set. A single port will generate samples at different rates if it is part of multiple multicast groups, as multicast sampling for a specific group depends on the most aggressive sampling rate among the ports of that particular group.
On EVPN-VXLAN, the centrally-routed bridging (CRB) and Edge-routed bridging (ERB) architecture are supported with sFlow. EVPN-VXLAN supports only IPv4 address.
| Incoming Interface and Encapsulation | Outgoing Interface and Encapsulation | Required Sampled Content | Forwarding Scenario | Metadata |
|---|---|---|---|---|
| Access port Layer 2 traffic | Network port | Incoming Layer 2 header + Layer 2 payload | Packets are encapsulated with VXLAN header and forwarded. | Incoming Interface Index or Identifier. Outgoing Interface Index or Identifier |
| Network port Layer 3 traffic | Access port | Incoming Layer 3 header + VXLAN header + Inner payload | Packets are de-capsulated and forwarded. | Incoming Virtual Tunnel End Point (VTEP) Interface Index or Identifier. Outgoing Interface Index or Identifier |
| Access port Layer 2 traffic | Network port | Incoming Layer 2 Header + Layer 2 payload | Packets are encapsulated with VXLAN header and forwarded. | Incoming Interface Index or Identifier. Outgoing Interface Index or Identifier |
| Network port Layer 3 traffic | Access port | Inner payload | Packets are de-capsulated and forwarded. | Incoming VTEP Interface Index or Identifier. Outgoing Interface Index or Identifier |
Table 3 provides Metadata information for extended switch data and extended routing data.
| EVPN-VXLAN | Scenario | Traffic Type | sFlow Interface Side | VXLAN Tunnel Type | Extended Switch Data | Extended Routing Data | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| IIF VLAN | IIF VLAN Priority | OIF VLAN | OIF VLAN Priority | NH IP | NH SMASK | NH DMASK | |||||
| CRB | Layer 2 GW Leaf | Layer 2 | Ingress | Encap | Yes | Yes | No | No | Yes | Yes | Yes |
| Decap | No | No | Yes | No | No | No | No | ||||
| Egress | Encap | Yes | No | No | No | Yes | Yes | Yes | |||
| Decap | No | No | Yes | No | No | No | No | ||||
| Layer 3 GW Spine | Layer 2 | Ingress | No | No | No | No | No | No | No | No | |
| No | No | No | No | No | No | No | No | ||||
| Transit | No | No | No | No | Yes | Yes | Yes | ||||
| Egress | No | No | No | No | No | No | No | No | |||
| No | No | No | No | No | No | No | No | ||||
| Transit | No | No | No | No | Yes | Yes | Yes | ||||
| Layer 3 Traffic (Inter Vlan Case) | Ingress | Encap | No | No | No | No | Yes | Yes | Yes | ||
| Decap | No | No | No | No | Yes | Yes | Yes | ||||
| Transit | No | No | No | No | Yes | Yes | Yes | ||||
| Egress | Encap | No | No | No | No | Yes | Yes | Yes | |||
| Decap | No | No | No | No | Yes | Yes | Yes | ||||
| Transit | No | No | No | No | Yes | Yes | Yes | ||||
| ERB | Layer 2+Layer 3 | Layer 2 | Ingress | Encap | Yes | Yes | No | No | Yes | Yes | Yes |
| Decap | No | No | Yes | No | No | No | No | ||||
| Egress | Encap | Yes | No | No | No | Yes | No | Yes | |||
| Decap | No | No | Yes | No | No | No | No | ||||
| Layer 3 Traffic (Inter VLAN Case) | Ingress | Encap | Yes | Yes | No | No | Yes | Yes | Yes | ||
| Decap | No | No | Yes | No | No | No | No | ||||
| Egress | Encap | Yes | No | No | No | Yes | Yes | Yes | |||
| Decap | No | No | Yes | No | No | No | No | ||||
sFlow Support on Routers
PTX Series
On PTX1000 routers and QFX10000 Series switches, sFlow technology always works at the level of the physical interface. Enabling sFlow monitoring on one logical interface enables it on all logical interfaces belonging to that physical interface.
On PTX1000 routers, PTX10000 routers, and
QFX10000 Series switches, you can configure sFlow only on an active logical
interface. Use the show interfaces terse command to display the
status information of interfaces. If both operational and admin state of an
interface is up, then it is an active interface.
On PTX10000 routers, PTX5000 routers and QFX10000 Series switches, sFlow will not generate samples as expected when the ingress or egress interfaces are part of routing instance specifically in ECMP scenario.
GRE Encapsulation
On PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016 devices, sFlow supports the export of Extended Tunnel Egress Structure fields for traffic entering IPv4 or IPv6 GRE tunnels. This enables sFlow to provide information about GRE tunnel into which a packet entering the device might be encapsulated. The GRE tunnel could be IPv4 or IPv6. The feature is supported only when sFlow is enabled in the ingress direction wherein firewall based GRE encapsulation happens on IPv4 or IPv6 packets.
The feature is supported for the below traffic scenarios when ingress sFlow sampling is enabled:
-
Incoming IPv4 traffic that undergoes IPv4 GRE encapsulation
-
Incoming IPv6 traffic that undergoes IPv4 GRE encapsulation
-
Incoming IPv4 traffic that undergoes IPv6 GRE encapsulation
-
Incoming IPv6 traffic that undergoes IPv6 GRE encapsulation
To learn more about the sFlow and sFlow Tunnel Structures, see sFlow Tunnel Structures.
Table 4 describes extended tunnel egress structure fields for traffic entering IPv4 or IPv6 GRE tunnels.
| Field Name | Value |
|---|---|
| Protocol reported | 0x2f (GRE) |
| Source IP | IPv4 or IPv6 address of the tunnel source |
| Destination IP | IPv4 or IPv6 address of the tunnel destination endpoint |
| length | 0 |
| source port | 0 |
| destination port | 0 |
| tcp flags | 0 |
| priority | 0 |
The extended structure for IPv4 and IPv6 GRE tunnels is below:
/* opaque = flow_data; enterprise = 0; format = 1023 */
struct extended_ipv4_tunnel_egress {
sampled_ipv4 header;
}
/* opaque = flow_data; enterprise = 0; format = 1025 */
struct extended_ipv6_tunnel_egress {
sampled_ipv6 header;
} Sampled IPv4 header structure is below:
/* Packet IP version 4 data */
/* opaque = flow_data; enterprise = 0; format = 3 */
struct sampled_ipv4 {
unsigned int length; /* The length of the IP packet excluding
lower layer encapsulations */
unsigned int protocol; /* IP Protocol type
(for example, TCP = 6, UDP = 17) */
ip_v4 src_ip; /* Source IP Address */
ip_v4 dst_ip; /* Destination IP Address */
unsigned int src_port; /* TCP/UDP source port number or equivalent */
unsigned int dst_port; /* TCP/UDP destination port number or equivalent
unsigned int tcp_flags; /* TCP flags */
unsigned int tos; /* IP type of service */
} Sampled IPv6 header structure is below:
/* Packet IP Version 6 Data */
/* opaque = flow_data; enterprise = 0; format = 4 */
struct sampled_ipv6 {
unsigned int length; /* The length of the IP packet excluding
lower layer encapsulations */
unsigned int protocol; /* IP next header
(for example, TCP = 6, UDP = 17) */
ip_v6 src_ip; /* Source IP Address */
ip_v6 dst_ip; /* Destination IP Address */
unsigned int src_port; /* TCP/UDP source port number or equivalent */
unsigned int dst_port; /* TCP/UDP destination port number or equivalent*/
unsigned int tcp_flags; /* TCP flags */
unsigned int priority; /* IP priority */
}
sFlow Sample Size
Starting in Junos OS Evolved 23.1R1 release for PTX Series devices, you can
configure the sFlow sample size of the raw packet header to be exported as part
of the sFlow record to the collector. The configurable range of sample size is
from 128 bytes through 512 bytes. Use the set protocols sflow
sample-size Sample-Size command to configure the
sample size. If the configured sample size is greater than the actual packet
size, then the actual size of the packet is exported. If you do not configure
the sample size, the default size of the raw packet header exported to the
collector is 128 bytes.
The sample size configured in the global sFlow configuration is inherited by all the interfaces configured under sFlow protocols.
ACX Series
The sFlow agent is responsible for monitoring the network port, sample all incoming packets including control traffic and traffic arriving on all the ports in the system.
sFlow technology is supported only on the ACX5000 line of routers, other ACX Series routers do not support this technology.
The following sFlow features are supported on the ACX5000 line of routers:
-
Packet-based sampling
Note:This feature is not supported on ACX5448 router.
-
Time-based sampling
-
Adaptive sampling
The following sFlow technology limitations apply on ACX5000 line of routers:
-
The ingress and egress sampling can be configured only on one of the units under a physical interface and the sFlow is enabled for the physical interface (port). The sFlow cannot be enabled if the unit under a physical interface is not configured.
-
Egress sampling for Broadcast, Unknown unicast and Multicast (BUM) traffic is not supported because the source-interface field in the sFlow datagrams cannot be populated.
-
Destination VLAN and Destination Priority fields are not populated in the case of Layer 3 forwarding.
-
sFlow sampling is not supported on the output interface of an analyzer.
-
SNMP MIB support for sFlow is not available.
-
sFlow cannot be enabled on IRB interfaces.
-
sFlow cannot be enabled on logical tunnel (lt-) and LSI interfaces.
sFlow Limitations on Routers
On routers, limitations of sFlow traffic sampling include the following:
-
Trio chipset cannot support different sampling rate for each family. Hence, only one sampling rate can be supported per line card.
-
Adaptive load balancing is applied per line card and not for per interface under the line card.
Routers support configuration of only one sampling rate (inclusive of ingress and
egress rates) on an line card. To support compatibility with the sFlow configuration
of other Juniper Networks products, the routers still accept multiple rate
configuration on different interfaces of the same line card. However, the router
programs the lowest rate as the sampling rate for all the interfaces of that line
card. The (show sflow interfaces) command displays the configured
rate and the actual (effective) rate. However, different rates on different line
cards is still supported on Juniper Networks routers.
In Junos OS Evolved, you can configure sFlow only on Ethernet interfaces
(et-*) for the following PTX Series devices:
-
PTX10003-80C and PTX10003-160C
-
PTX10008
-
PTX10001-36MR
-
PTX10004
-
PTX10016
You cannot configure sFlow on loopback interfaces (lo0).
sFlow Limitations on Switches
On switches, limitations of sFlow traffic sampling include the following:
-
The EX3400, EX4100, EX4300, EX4400, and QFX5K series switches use pseudo-egress sampling for egress sampling. Packets are not true egress samples. They are unmodified copies as they appear in the ingress pipeline of the sflow instance device that is using egress sampling.
-
On EX9200 switches, true OIF (outgoing interface) is not supported with sFlow.
EX9200 switches support configuration of only one sampling rate (inclusive of ingress
and egress rates) on an FPC (or line card). To support compatibility with the sFlow
configuration of other Juniper Networks products, EX9200 switches still accept
multiple rate configuration on different interfaces of the same FPC. However, the
switch programs the lowest rate as the sampling rate for all the interfaces of that
FPC. The (show sflow interfaces) command displays the configured
rate and the actual (effective) rate. However, different rates on different FPCs is
still supported on EX9200 switches.
Adaptive Sampling on Routers and Switches
Adaptive sampling is the process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt the sampling rates on interfaces on the basis of traffic conditions. Adaptive sampling prevents the CPU from overloading and maintains the system at an optimum level, even when traffic patterns change on the interfaces. Whereas the sample rate is the configured number of egress or ingress packets out of which one packet is sampled, the adaptive sample rate is the maximum number of samples that should be generated per line card, that is, it’s the limit given to adaptive sampling. Sample load is the amount of data (or number of packets) moving across a network at a given point of time that is sampled. As you increase the sample rate, you decrease the sample load and vice versa. For example, suppose the configured sample rate is 2 (meaning 1 packet out of 2 packets is sampled), and then that rate is doubled, making it 4, or only 1 packet out of 4 packets is sampled.
You configure the adaptive sample rate, which is the maximum number of samples that
should be generated per line card, at the [edit protocols sflow
adaptive-sample-rate] hierarchy level.
To ensure sampling accuracy and efficiency, QFX Series devices use adaptive sFlow sampling. Adaptive sampling monitors the overall incoming traffic rate on the device and provides feedback to the interfaces to dynamically adapt their sampling rate to traffic conditions. The sFlow agent reads the statistics on the interfaces every 5 seconds and identifies five interfaces with the highest number of samples. On a standalone switch, when the CPU processing limit is reached, a binary backoff algorithm is implemented to reduce the sampling load of the top five interfaces by half. The adapted sampling rate is then applied to those top five interfaces.
Using adaptive sampling prevents overloading of the CPU and keeps the device operating at its optimum level even when there is a change in traffic patterns on the interfaces. The reduced sampling load is used until:
-
You reboot the device.
-
You configure a new sampling rate.
-
The adaptive sampling fallback feature, if configured, increases the sampling load because the number of samples generated is less than the configured threshold.
If a particular interface is not configured, the IP address of the next interface in the priority list is used as the IP address for the agent. Once an IP address is assigned to the agent, the agent ID is not modified until the sFlow service is restarted. At least one interface has to be configured for an IP address to be assigned to the agent.
Considerations
On the QFX Series, limitations of sFlow traffic sampling include:
-
sFlow sampling on ingress interfaces does not capture CPU-bound traffic.
-
sFlow sampling on egress interfaces does not support broadcast and multicast packets.
-
Egress samples do not contain modifications made to the packet in the egress pipeline.
-
If a packet is discarded because of a firewall filter, the reason code for discarding the packet is not sent to the collector.
-
The
out-priorityfield for a VLAN is always set to 0 (zero) on ingress and egress samples. -
You cannot configure sFlow monitoring on a link aggregation group (LAG), but you can configure it individually on a LAG member interface.
-
On QFX10000 Series switches, for a set of ports in a multicast group, since the actual sampling happens in the ingress pipeline for egress packets, the minimum of the configured sFlow rate or the most aggressive sample rate among those ports is used for sampling across all ports in that group.
-
Starting from Junos OS Release 19.4 and later, on QFX10000 Series switches, if the destination port of a sampled UDP packet is 6635 and the packet does not include a valid MPLS header, the flow sampled packet gets corrupted or truncated. The actual packet is forwarded.
-
On QFX10000 Series standalone switches and the QFX Series Virtual Chassis (with QFX3500 and QFX3600 switches), egress firewall filters are not applied to sFlow sampling packets. On these platforms, the software architecture is different from that on other QFX Series devices, and sFlow packets are sent by the Routing Engine (not the line card on the host) and are not transiting the switch. Egress firewall filters affect data packets that are transiting a switch but do not affect packets sent by the Routing Engine. As a result, sFlow sampling packets are always sent to the sFlow collector.
How Adaptive Sampling Works
Every few seconds, or cycle, the sFlow agent collects the interface statistics. From these aggregated statistics, an average number of samples per second is calculated for the cycle. The cycle length depends on the platform:
-
Every 12 seconds for EX Series and QFX5K switches and MX Series and PTX Series routers
-
Every 5 seconds for QFX Series switches other than QFX5K
If the combined sample rate of all the interfaces on an line card exceeds the adaptive sample rate, a binary backoff algorithm is initiated, which reduces the sample load on the interfaces. Adaptive sampling doubles the sample rate on the affected interfaces, which reduces the sampling load by half. This process is repeated until the CPU load due to sFlow on a given line card comes down to an acceptable level.
Which interfaces on an line card participate in adaptive sampling depends on the platform:
-
For MX Series routers and EX Series switches, the sample rates on all the interfaces on the line card are adapted.
-
For PTX Series routers and QFX Series switches, only the five interfaces with the highest sample rates on the line card are adapted.
For all platforms, the increased sampling rates remain in effect until one of the following conditions is achieved:
-
The device is rebooted.
-
A new sample rate is configured.
If you have enabled the adaptive sampling fallback feature and, because of a traffic spike, the number of samples increases to the configured sample-limit-threshold, then the adaptive sampling rate is reversed.
Adaptive Sampling Fallback
The adaptive sampling fallback feature, when configured and after adaptive
sampling has taken place, uses a binary backup algorithm to decrease the
sampling rate (thus, increasing the sampling load) when the number of samples
generated is less than the configured sample-limit-threshold
value, without affecting normal traffic.
Starting in Junos OS Release 18.3R1, for EX Series switches, Junos OS supports the adaptive sampling fallback feature. Starting in Junos OS Release 19.1R1, for MX Series, PTX Series, and QFX Series devices, Junos OS supports the adaptive sampling fallback feature.
Adaptive sampling fallback is disabled by default. To enable this feature,
include the fallback and adaptive-sample-rate
sample-limit-threshold options in the
[edit protocols sflow adaptive-sample-rate] hierarchy level.
After adaptive sampling has taken place and the line card is underperforming—that
is, the number of samples generated in a cycle are less than the configured
value for the sample-limit-threshold statement—for five
continuous cycles of adaptive sampling, the adapted rate is reversed. If the
reverse adaptation has happened and the number of samples generated in a cycle
is less than half of the current adapted rate again (and, therefore, for five
continuous cycles), another reverse adaptation can happen.
Reverse adaptation does not occur if the interfaces are already at the configured rate.
Adaptive Sampling Limitations
The following are limitations of the adaptive sample feature:
-
On standalone routers or standalone QFX Series switches, if you configure sFlow on multiple interfaces and with a high sampling rate, we recommend that you specify a collector that is on the data network instead of on the management network. Having a high volume of sFlow traffic on the management network might interfere with other management interface traffic.
-
On routers, sFlow does not support graceful restart. When a graceful restart occurs, the adaptive sampling rate is set to the user-configured sampling rate.
-
On a rate-selectable line card (which supports multiple speeds), interfaces with the highest sample count are selected for adaptive sampling fallback. The backup algorithm selects those interfaces on which the adaptive sampling rate is increased the maximum number of times and then decreases the sampling rate on each of those interfaces every five seconds. However, on a single-rate line card, only one sample rate is supported per line card, and the adaptive sampling fallback mechanism backs up the sampling rate on all the interfaces of the line card.
sFlow Agent Address Assignment
The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. You can configure the IP address of the sFlow agent to ensure that the agent ID of the sFlow agent remains constant. If you do not specify the IP address to be assigned to the agent, an IP address is automatically assigned to the agent based on the following order of priority of interfaces configured on the device:
|
Routers and EX Series Switches |
QFX Series Devices |
|---|---|
|
|
If neither of the preceding interfaces has been configured, the IP address of any Layer 3 interface or the routed VLAN interface (RVI) is assigned to the agent. At least one interface must be configured on the switch for an IP address to be automatically assigned to the agent. When the agent’s IP address is assigned automatically, the IP address is dynamic and changes when the switch reboots.
sFlow data can be used to provide network traffic visibility information. You can explicitly configure the IP address to be assigned to source data (sFlow datagrams). If you do not explicitly configure that address, the IP address of the configured Gigabit Ethernet interface, 10-Gigabit Ethernet interface, or the RVI is used as the source IP address.
Example: Configure sFlow Technology to Monitor Network Traffic
This example describes how to configure and use sFlow technology to monitor network traffic.
Requirements
You can use QFX Series, EX Series, PTX Series and MX Series devices for the example using the following hardware and software components:
One EX Series switch
Junos OS Release 9.3 or later for EX Series switches
-
One MX Series router
-
Junos OS Release 18.1 or later for MX Series routers
-
Junos OS Release 11.3 or later
-
One QFX3500 switch
Topology
The sFlow agent runs on the switch. It combines interface counters and flow samples and sends them across the network to the sFlow collector. Figure 1 depicts the basic elements of the sFlow system.
Configuration
To configure sFlow technology, perform the following tasks:
CLI Quick Configuration
To quickly configure sFlow technology, copy the following commands and paste them into the switch terminal window:
[edit protocols]
set sflow collector 10.204.32.46 udp-port 5600
set sflow interfaces ge-0/0/0
set sflow polling-interval 20
set sflow sample-rate egress 1000
Procedure
Step-by-Step Procedure
To configure sFlow technology:
Configure the IP address and UDP port of the collector:
[edit protocols] user@switch# set sflow collector 10.204.32.46 udp-port 5600
Note:You can configure a maximum of 4 collectors.
The default UDP port is 6343.
Enable sFlow technology on a specific interface:
[edit protocols sflow] user@switch# set interfaces ge-0/0/0
Note:You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface.
Specify in seconds how often the sFlow agent polls the interface:
[edit protocols sflow] user@switch# set polling-interval 20
Note:The polling interval can be specified as a global parameter also. Specify 0 if you do not want to poll the interface.
Specify the rate at which egress packets must be sampled:
[edit protocols sflow] user@switch# set sample-rate egress 1000
Note:You can specify both egress and ingress sampling rates. If you set only the egress sampling rate, the ingress sampling rate will be disabled.
Note:We recommend that you configure the same sampling rates on all the ports on a line card. If you configure different sampling rates are different, the lowest value is used for all ports. You could still configure different rates on different line cards.
- (Optional) Specify the sample size for the raw packet header. The sample
size configuration is applicable on PTX10003-80C, PTX10003-160C,
PTX10001-36MR, PTX10004, PTX10008 and PTX10016 devices from 23.1R1 Junos
OS Evolved
release.
[edit protocols sflow] user@switch# set sample-size 135
Results
Check the results of the configuration:
[edit protocols sflow]
user@switch# show
polling-interval 20;
sample-rate egress 1000;
collector 10.204.32.46 {
udp-port 5600;
}
interfaces ge-0/0/0.0;
[edit protocols sflow]
user@router# show
polling-interval 20;
source-ip 45.1.1.1;
collector 45.1.1.100;
sample-size 135;Verification
To confirm that the configuration is correct, perform these tasks:
- Verifying That sFlow Technology Is Configured Properly
- Verifying That sFlow Technology Is Enabled on the Specified Interface
- Verifying the sFlow Collector Configuration
Verifying That sFlow Technology Is Configured Properly
Purpose
Verify that sFlow technology is configured properly.
Action
Use the show sflow command:
user@switch> show sflow sFlow: Enabled Sample limit: 300 packets/second Polling interval: 20 seconds Sample rate egress: 1:1000: Enabled Sample rate ingress: 1:2048: Disabled Agent ID: 10.204.96.222
user@router> show sflow sFlow : Enabled Adaptive fallback : False Sample limit : 2000 packets/second Sample limit Threshold : 0 packets/second Polling interval : 20 second Sample rate egress : 1:2048:Disabled Sample rate ingress : 1:2048:Disabled Agent ID : 10.204.96.222 Agent ID IPv6 : No valid agent IPv6 Source IP address : 45.1.1.1 Source IPv6 address : No valid source IPv6 Sample Size : 128 Bytes
The sampling limit cannot be configured and is set to 300 packets/second per FPC.
Meaning
The output shows that sFlow technology is enabled and specifies the values for the sampling limit, polling interval, and the egress sampling rate.
Verifying That sFlow Technology Is Enabled on the Specified Interface
Purpose
Verify that sFlow technology is enabled on the specified interfaces and display the sampling parameters.
Action
Use the show sflow interface command:
user@switch> show sflow interface
Interface Status Sample rate Adapted sample rate Polling-interval
Egress Ingress Egress Ingress Egress Ingress
ge-0/0/0.0 Enabled Disabled 1000 2048 1000 2048 20Meaning
The output indicates that sFlow technology is enabled on the ge-0/0/0.0 interface with an egress sampling rate of 1000, a disabled ingress sampling rate, and a polling interval of 20 seconds.
Verifying the sFlow Collector Configuration
Purpose
Verify the sFlow collector's configuration.
Action
Use the show sflow collector command:
user@switch> show sflow collector Collector Udp-port No. of samples address 10.204.32.46 5600 1000 10.204.32.76 3400 1000
user@router> show sflow collector Collector Udp-port Dscp Forwarding-Class No. of samples address 45.1.1.100 6343 0 best-effort 0
Meaning
The output displays the IP address of the collectors and the UDP ports. It also displays the number of samples.
Example: Configure sFlow for EVPN-VXLAN Networks for QFX10000 Switches
Use this example to configure and use sFlow monitoring for EVPN-VXLAN traffic with an IPv4 underlay on QFX10000 line of switches.
Requirements
This example uses the following hardware and software components:
- A QFX10002-60C, QFX10002, QFX10008, or QFX10016 switch.
- Junos OS Release 21.3R1, 21.2R2 and later.
This example assumes that you already have an EVPN-VXLAN with an IPv4 underlay based network and want to enable sFlow monitoring on a QFX10000 switch.
Overview and Topology
In this example, you enable sFlow inspection for an existing and working EVPN-VXLAN network traffic with IPv4 underlay.
Topology
Figure 2 depicts the sFlow support in an EVPN-VXLAN network environment with an IPv4 underlay. In this topology, the sFlow agent performs packet sampling and gathers interface statistics, and then combines the information into UDP datagrams that are sent to sFlow collectors. You can connect an sFlow collector to the switch through the management network or data network. The sFlow program on the switch looks up the next-hop address for the specified collector IP address to determine whether the collector is reachable by way of the management network or data network.
You should configure sFlow on the physical port of your hardware switch and logical interface where the VTEPs (virtual port) are configured and not on VTEPs itself. When you configure sFlow on fabric facing interface, the underlay traffic along with VXLAN traffic is sampled. You can configure sFlow on any of the R0, R1, or R2 devices mentioned in the topology.
For information about basic EVPN-VXLAN underaly configuration, refer to Example: Configuring a QFX10000 Switch as a Layer 3 VXLAN Gateway in an EVPN-VXLAN Centrally-Routed Bridging Overlay.
Configuration
Use the following steps to configure sFlow technology on your QFX10000 switch with EVPN-VXLAN network:
CLI Quick Configuration
To quickly configure this example on your QFX10000 switch, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
[edit protocols sflow] set polling-interval 20 set sample-rate ingress 10 set source-ip 10.1.12.0 set collector 10.102.70.200set interfaces et-0/0/1.1 sample-rate ingress 100 egress 100
Step-by-Step Procedure
To configure sFlow technology:
-
Specify in seconds how often the sFlow agent polls the interface:
[edit protocols sflow] user@switch# set polling-interval 0
-
Specify the rate at which ingress packets must be sampled:
[edit protocols sflow] user@switch# set sample-rate ingress 100
-
Configure the source IP address:
[edit protocols sflow] user@switch# set source-ip 10.1.12.0
-
Configure the IP address of the collector:
[edit protocols sflow] user@switch# set collector 192.168.200.100
-
Enable sFlow technology on a specific interface:
[edit protocols sflow] user@switch# set interfaces et-0/0/1.1 sample rate ingress 100 egress 100
-
Commit the configuration:
[edit protocols sflow] user@switch# commit
Results
Check the results of the configuration:
[edit]
user@switch# show protocols sflow
agent-id 10.1.12.0/24;
polling-interval 0;
sample-rate {
ingress 16000;
egress 16000;
}
collector 192.168.200.100;
interfaces et-0/0/54.1 {
sample-rate {
ingress 100;
egress 100;
}
}
interfaces et-0/0/56.0;
interfaces et-0/0/57.1 {
sample-rate {
ingress 100;
egress 100;
}
}
Verification
To confirm that the sFlow configuration is enabled and correct.
Verify Configured sFlow Technology
Purpose
Verify the sFlow monitoring is enabled for an EVPN-VXLAN network.
Action
From operational mode, enter the show protocols sflow
command.
user@switch> show protocols sflow sFlow : Enabled Adaptive fallback : Disabled Sample limit : 300 packets/second Sample limit Threshold : 0 packets/second Polling interval : 0 second Sample rate egress : 1:2048: Disabled Sample rate ingress : 1:100: Enabled Agent ID : 10.1.12.0/24 Source IP address : 10.1.12.0