sFlow Generation for Legacy Networks with Tap Aggregation (NPB / Matrix switch)

 

sFlow is a standard hadware sampling available on all the Arista platforms, providing rich statistical information on all ports.

sFlow is available in Tap Aggregation mode, allowing additional use cases of Tap Aggregation than traffic analysis on analyzer tools:

  1. Retro-fitting sFlow to legacy infrastructure
  2. Distributed analysis

This article focuses on Retro-fitting sFlow to legacy infrastructure.

 

1) sFlow vs Netflow

  • sFlow is a sampling mechanism implemented in hardware:
    • Widely available on non-legacy platforms, and widely supported on collectors/monitoring software
    • sFlow requires minimal local processing which contrast¬†with Netflow that is very CPU-intensive, making Netflow poorly suitable for any high performance environment.
  • sFlow’s statistical sampling is integrated to the hardware on all Arista switches
    • all nodes are equal, providing the same sFlow capability
  • sFlow performance scales with interface speeds
    • It supports 10Gb, 40Gb and 100Gb Ethernet and beyond, since sFlow merely samples in hardware.
  • sFlow is naturally distributed
    • Every time a new device is added to the network topology, it adds sFlow processing scale
  • Collector applications are hardware independent
    • sFlow analysis tools run on standard servers with open operating systems
  • sFlow provides real-time, raw export
    • sFlow does not require pre-correlation or processing on each device, and does not summarize flow data. The collector gets a complete view of traffic profiles, including payload data.

 

2) sFlow generation for legacy non-sFlow networks

Networks that are not capable of sFlow hardware sampling can still benefit from network-wide statistical collection. An Arista Tap Aggregator simply configured for sFlow will generate statistics for all traffic received form various sources, such as tap or mirror sessions.

The received traffic is then sampled in hardware and sFlow records are sent to an sFlow collector (statistical analyzer).

The received traffic also get aggregated and manipulated per the standard behaviour or the Arista switch in Tap Aggregation mode. sFlow is merely an additional statistical information provided b the Tap Aggregator without any impact on performance.

The below figure illustrates the retrofitting of sFlow in a legacy non-sFlow network:

 

DANZ - sFlow retrofitting legacy

 

 

3) How easy is sFlow configuration on Arista EOS ?

 

The sFlow basic sFlow configuration is uncomplicated, as per the below configuration output. See the manual for more configuration details.

!
sflow destination <IP address of sFlow Collector>
sflow source <source IP of the sFlow records sent by the switch>
sflow run
!

 

Verify the sFlow setup with the following command. Example:

 

vEOS1__20:41:53#show sflow

sFlow Configuration
-------------------
Destination(s):
 172.16.0.1:6343 ( VRF: default )   <-- should be pointing at the external sFlow collector
Source(s):
 172.16.0.41 ( VRF: default )       <-- must be set. This is the source IP of the switch used to send sflow samples
 :: ( default ) ( VRF: default )
Sample Rate: 16384                <-- optionally set. Default is 16384 and a good starting value. 
Polling Interval (sec): 30.0        
Rewrite DSCP value: No

Status
------
Running: Yes                        <-- should be "Yes"
Polling On: Yes                      
Sampling On: Yes ( default )        <-- should be "Yes"
Send Datagrams: Yes ( VRF: default ) 

Statistics
----------
Total Packets: 487924
Number of Samples: 847
Sample Pool: 0
Hardware Trigger: 0
Number of Datagrams: 27