I mentioned about sFlow in this blog post. Today, I want to show how to configure it on Nexus 3000 series. The configuration lines covered here were tested on both Nexus 3172 and 3048. Nexus 3524/3548 is not sFlow capable so please check the Cisco’s documentation to see if the switch supports it.
What is sFlow?
sFlow, short for sampled flow, is an industry standard sampling technology for monitoring traffic in data networks. It was originally developed by InMon Corporation, maker of Traffic Sentinel – a flow collector, and it is now defined by RFC 3176, for the most part.
Configuration
If you are familiar with NX-OS, then you know that the feature command is pretty much needed to enable the features you want on Nexus switches. This is no different from the other features such as BGP, OSPF, etc.
feature sflow
The command above enables the sFlow feature.
The next two settings are important and one needs to consider how it should be configured on his/her network devices. These two settings are sampling rate and polling interval. The sampling rate is the number of samples of packets that traverses the interface in a specified period of time (polling interval).
Let’s take a look at a scenario where the sampling rate is set to sample 1 of 5,000 and the polling interval is set to 60 seconds. Let’s say that in 60 seconds there were 50,000 packets traversed the interface. With the configured sampling rate, sFlow collected 10 out of 50K packets. This is quite a small number of packets collected and doesn’t really reveal the overall network traffic. Let’s say that sFlow collected five packets of HTTPS traffic, one of NFS, one of SSH, one of FTP, and one of ARP. One could speculate that there were more HTTPS traffic but one could never be 100% sure because 10 is a very small number.
Make sure to adjust the sampling rate and polling interval for your needs. The configuration below is just a sample based on the scenario above. Switches that support sFlow have an ASIC that is capable of handling more frequent collection. That said, feel free to collect as more often as you want since it will consume less resources than NetFlow does. Though, newer Cisco switch might have the necessary ASIC(s) that can handle NetFlow as good as the sFlow.
sflow sampling-rate 5000 ! Sampling rate is configurable from 4096 to 1000000000. 0 disables the sampling. 4096 is the default value. ! sflow counter-poll-interval 60 ! Polling interval is configurable from 0 to 2147483647. 20 seconds is the default.
The next important command is the data source. With no data source, there is nothing to report to the collector.
sflow data-source interface e1/1 - 50 sflow data-source interface port-channel 1
If all the interfaces on the switch is defined as the data source, there will be an error if in the future one decides to use the interface for an EtherChannel. That said, they need to be taken out of the data source and added back in, if one needs to collect sFlow data. If the interface is a member of an EtherChannel, one has to add the logical interface as the data source and not the physical interface.
Now, we need to point the switch to the flow collector. Check with your flow collector vendor if it supports sFlow. I know that InMon’s Traffic Sentinel supports multiple flows like sFlow (obviously, they originally developed the protocol!), NetFlow/NetFlow-Lite/Flexible NetFlow, IPFIX, etc.
sflow collector-port 6343 ! 6343 is the default and the official sFlow port. ! sflow collector-ip 192.168.100.100 vrf default (or management) sflow agent-ip 192.168.1.10
If it’s not obvious enough, the collector-ip is the IP address of the flow collector. The vrf option depends on how everything is set up. The management would be used if one is using the management port and the collector is reachable via that interface. If not, use the default option. The agent-ip is the source IP address that one wants to use. Use the management interface’s IP address if that is the one chosen in the vrf option.
The last two configurations are basically optional. They have default values but may want to configure depending on one’s environment.
sflow max-sampled-size 128 ! This configure the maximum number of bytes that should be copied from a sampled packet. ! sflow max-datagram-size 1400 ! This configure the maximum number of data bytes that can be sent in a single sample datagram.
Thoughts
If you have a flow collector and Nexus switches that support sFlow, consider enabling it. It allows you to have some type of network visibility that may help you in the future. For example, the one I mentioned here, finding out who the target of a DoS/DDoS attack, top talkers of the network, etc.
Reference
Want to learn more about NX-OS?
NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.