The sFlow plugin allows you to monitor the throughput generated by an application, a source ip or a destination ip and generate alerts if the defined thresholds are exceeded, it also provides performance data and graphs in the same way as the other plugins.
Use cases and best practices for using plugins :
The plugin has been specified to meet specific needs. It presents different fields to be filled in order to target the bandwidth consumption
Ideally, each instantiated plugin should meet a need, for example, measuring the throughput generated by the mail service. In this case, the user will fill in the various fields necessary for this measurement (destination ip of the mail server, SMTP port 25....).
sFlow
Introduction
SFlow provides real-time traffic monitoring of data networks containing switches and routers. It uses the sampling mechanism in the sFlow Agent software on switches and routers to monitor traffic and to transmit the sample data on the ingress and egress ports to the central data collector, also called the sFlow Analyzer.
For more information on sFlow, see RFC 3176.
sFlow agent
The sFlow Agent periodically samples or polls interface counters that are associated with a data source of sampled packets. The data source can be an Ethernet interface, an EtherChannel interface, or a range of Ethernet interfaces. The sFlow agent polls the Ethernet port manager for the respective EtherChannel membership information and also receives notifications from the Ethernet port manager for membership changes.
When you enable sFlow sampling, based on the sampling rate and the internal random number of the hardware, the input packets and output packets are sent to the CPU as a sampled packet in sFlow. The sFlow agent processes the sampled packets and sends an sFlow datagram to the sFlow analyzer. In addition to the original sampled packet, an sFlow datagram includes information about the input port, output port, and length of the original packet. An sFlow datagram can have multiple sFlow samples.
sFlow versions
Version | Comment |
V1 | Initial version |
V2 | (Unknown) |
V3 | Adds support for the information extents |
V4 | Adds supporting BGP communities |
V5 | Several protocol improvements. This is the current version, which is supported worldwide. |
SFlow datagrams
The sampled data is sent as a UDP packet to the specified host and port. The official port number for sFlow is 6343. The unreliability of the UDP transport mechanism does not significantly affect the accuracy of measurements obtained from an sFlow agent. If counter samples are lost, new values will be sent when the next polling interval has passed. The loss of packet flow samples results in a slight reduction in the effective sampling rate.
The UDP payload contains the sFlow datagram. Each datagram provides information about the sFlow version, the IP address of the originating device, a sequence number, the number of samples it contains and one or more flow and/or counter samples.
Default settings for sFlow
Parameters | Defect |
SFlow sampling rate | 4096 |
SFlow sample size | 128 |
SFlow max datagram-size | 1400 |
SFlow collector-port | 6343 |
SFlow counter-poll-interval | 20 |
Architecture
Network elements (switches and routers) compile statistics on the network flow data they export to collectors. These detailed statistics can include packet and byte counts, application ports, IP addresses, QoS fields, interfaces through which they pass, etc.
The architecture for collecting IP network traffic information is as follows:
- sFlow exporter: Observes packet data, creates records of monitored network traffic and transmits this data to the sFlow Collector.
- sFlow Collector: Collects records sent by the exporter, stores them in a local database.
- ServiceNav BOX: Retrieves the information collected by the sFlow Collector: according to the need entered in the plugin parameters sFlow
- SNP (Supervisory Platform) allows you to configure the sFlow is to use the data reported by the ServiceNav BOX
Configuring the NetworkAnalysis-sFlow service model
In good practice, the service model NetworkAnalysis-sFlow must be linked to the switch or router that exports the sFlow data) but you can also link it to any other equipment or an Up System if needed.
After instantiating the NetworkAnalysis-sFlowYou will have to configure the service according to your analysis needs. As a reminder, the plugin has been optimized to monitor the flow generated by an application.
The following mandatory fields must be filled in:
- Collector Storage : Address of the Collector Storage
- Allocated bandwidth: Value in the selected unit
- Unit: Output unit: kbps, Mbps, Gbps
- Alert threshold: Alert threshold in %
- Critical threshold: Critical threshold in %
- Directory Name: Path to the directory containing the exports linked to an interface
- Absence status: Status to be given in case of inactivity, e.g. 0 for OK
The other fields to be filled in allow you to target the flow to be monitored according to your needs.
Example of a configuration targeting the flow generated by a mail server:
The service will provide you with the following information:
- A status according to the thresholds set
- The flow generated in the selected unit
- Performance data
- Metrics in absolute values and in percentage of use
Metrics in absolute values :
Metrics in percentage of use :
Dashboard configuration
After instantiating as many NetworkAnalysis-sFlow than flows to monitor, you can create one or more dashboards targeting bandwidth usage by business and be alerted according to the defined thresholds.
Here is an example of a dashboard: