Posted on November 4, 2020 8:35 am
 |  Asked by noc
 |  116 views
0
0
Print Friendly, PDF & Email

Hello,

We have a pair of Arista 7050s that acting as layer 2 switching and there is no layer 3 features on them and we want to enable sflow on them , so i want to know does it impact on cpu ? we have around 20g bps and 8-9m bps and we have some port channel and layer 2 features such as access vlan, trunk.

THanks,

0
Answered on November 4, 2020 8:36 am

Hi Noc,

Thanks for reaching out.

Under default/normal Sflow sampling rate we don't expect any Sflow/non-Sflow CPU related issues.

You can refer to the following link for more detailed information regarding sflow sampling rate and regarding sflow dangerous commands configs:

https://www.arista.com/en/um-eos/eos-section-47-3-sflow-configuration-commands

A rate of 16384 corresponds to an average sample of one per 16,384 packets.

Usually Sflow Sampling rates up to one packet out of 16384 are considered safe.

Using "sflow sample <rate>" command, we could configure a value in the recommended rate range and using the "dangerous" keyword, we could configure any rate, removing the restriction on the maximum sampling rate (i.e 16384), thereby, providing the ability to configure a really high sampling rate, which might result in increased CPU load.

For example, by using dangerous option one can configure any integer value.
Switch(config)# sflow sample dangerous 1

Since, Sflow sampled packets are sent to the CPU for further processing, configuring higher sampling rates might result in additional load on the CPU.

we use the sflow dangerous command to draw the line for when we may start seeing CPU impact that could affect other services. As long as we are outside of the 'dangerous' designation we would not expect to see any Sflow/non-sFlow CPU related issues.

Since we have default Copp(Control Plane Protection policy) on Arista switches even with 20Gbps traffic Copp would reduce sending unnecessary packets to CPU there by reducing CPU load.

You can check for the Copp shaperate and bandwidth by issuing the below command on the device:

switch(conf)#show policy-map type control-plane copp-system-policy

 

Thanks,

Bhavana.

0
Posted by Sneha Rajeev
Answered on November 4, 2020 9:46 am

Hello,

Thank you for reaching out to us.

We provide a sFlow agent that samples only ingress traffic from all Ethernet and port-channel interfaces. If you are looking to gather the sFlow samples and send it to a sFlow collector, we will need to configure L3 and make sure that there is a route to the collector so that the datagrams from the device can be sent to the collector.

With regards to your query about the CPU usage, you may notice higher CPU utilization after enabling sFlow globally by using the sflow run command if you have configured an aggressive sampling rate. To explain this a bit more:

  • When sFlow is configured globally, it enables sFlow on all the interfaces. If you wish to sample the traffic on only a few interfaces, you could disable sFlow on the other interfaces. By doing so, you could reduce the number of sFlow packets being sent to the CPU. The command no sflow enable can be used to disable sFlow on a particular interface
  • Some platforms support Hardware Accelerated sFlow which is better suited to supporting aggressive sampling rates.
  • Also, please note that the CPU utilization with the suggested sampling rate can’t be quantified since it depends on other processes the CPU is currently running.

Do let us know if there are any other follow-up questions regarding this.

Regards,

Sneha

0
Posted by noc
Answered on November 15, 2020 6:01 am

Hello,

we have 2x arista 7050s in mlag mode and 20x top of rack switches are connected to these Arista and every top of rack has 2x 10G (totally 20gbps) uplink, and as i read https://blog.sflow.com/2009/06/sampling-rates.html they suggest 1:2048 for 10g , so is 1:2048 a safe value? vecayse we need a correct value to detect attacks ontime,

Thank you.

0
Posted by Alexis Dacquay
Answered on November 17, 2020 6:38 pm

Hi,

What do you mean by "20g bps and 8-9m bps"
Is that 20Gbps or 8Mbps ?
Or did you mean 8 million pps (packets per seconds)?

20Gbps across the whole switch is low, you can safely increase that to 1:2000.

Are you considering configuring 1:2048 on all the 7050S' interfaces, or only few?
It is all about scale. The lighter the sampling and fewer the ports, then the lighter it will be on the resources.

If you have many interfaces you want to monitor then my recommendation is to try halving step by step:
1) 16k -> 8k
2) monitor efficiency of monitoring/detecting, and also CPU usage
3) 8k->4k
4) monitor
5) etc.

Of course you may jump directly to 2k and monitor more carefully then decide whether to half further or reduce the sampling rate.

0
Posted by noc
Answered on November 20, 2020 7:44 pm

Hello,

i just want to monitr sflow only on 2x Port-channel and i have ~20Gbps traffic on my switch ,

so do you think i can use 1:2048 without worry ?

0
Posted by Alexis Dacquay
Answered on November 20, 2020 11:19 pm

Hi,
1:2000 on 20Gbps would sample 10Mbps.
That should be fine. Just check the cpu utilisation with a granularity per process to ensure it is safe. The 7050S is a bit old.

Regards,
Alexis

Post your Answer

You must be logged in to post an answer.