Professional Documents
Culture Documents
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Design Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
sFlow Overview of Juniper Networks EX Series Ethernet Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Packet Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Packet Flow Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Packet Flow Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Counter Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
sFlow Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
sFlow Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Description and Deployment Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
sFlow Implementation on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Traffic Monitoring Using sFlow on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Exporting sFlow-Sampled Records to a Remote Collector in a Different Virtual Routing Instance . . . . . . . . . . . . . 6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table of Figures
Figure 1: sFlow monitoring in a regular network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Figure 2: sFlow sampled packets sent to the collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 3: Packet header of the sFlow sampled packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 4: Details of the sFlow sampled packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 5: sFlow monitoring with a collector in separate virtual routing instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 6: sFlow sampled packets sent to the collector 7.0.0.10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 7: sFlow sampled packets sent to the collector 1.0.0.10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 8: sFlow sampled packets sent to the collector 8.0.0.10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 9: Details of the sFlow sampled packets sent to collector 8.0.0.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 10: Details of the sFlow interface counters sent to collector 8.0.0.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Introduction
The sFlow (RFC 3176) technology is designed for monitoring high-speed switched or routed networks and provides
visibility into the type of network traffic to help detect anomalies in traffic flows. This statistical sampling-based
network monitoring technology samples network packets and sends the samples to a monitoring station, where it
gives the network administrator visibility into network behavior.
Scope
This application note will describe how sFlow technology can be deployed on the Juniper Networks® EX3200
Ethernet Switches and EX4200 Ethernet Switches in a typical switched or routed network environment. It will also
discuss how to export the sFlow sampling data records to remote monitoring collectors through network ports in a
separate virtual routing instance on Juniper Networks EX Series Ethernet Switches.
Design Considerations
The results of the tests described below are based on the use of Juniper Networks EX4200 Ethernet Switches. The
EX3200 Ethernet Switches could be substituted for the EX4200 switches.
Packet Flow
A packet flow is defined as a set of packets moving through a networking device such as a switch or router. Packets are
received on an ingress interface, and a switching or routing decision is made for the egress interface.
Counter Sampling
Counter sampling performs periodic, time-based sampling or polling of counters associated with an interface
enabled for sFlow. Interface statistics from the counter record are gathered, and the agent constructs a datagram
which it sends to the collectors, depending on which collector addresses are configured.
sFlow Agent
The sFlow agent provides an interface for configuring sFlow instances. The interfaces may be command-line interface
(CLI) or SNMP MIBs (in the feature roadmap). The sFlow agent is also responsible for making the datagrams and
sending them to the collectors.
sFlow Collector
The sFlow collector is a piece of hardware/software that can receive sFlow datagrams and present a view of traffic
and other network parameters which are output as type, length, and value (TLV) in the datagrams. The sFlow
collectors can also read and configure sFlow-managed objects.
EX4200-1
GE-0/0/0 Network Traffic
GE-0/0/12 Stream
sFlow enabled
sFlow sampling
GE-0/0/0 data GE-0/0/0
EX4200-3 EX4200-2
sFlow sampling GE-0/0/13
data
sFlow collector
(1.0.0.10)
As shown in Figure 1, a bidirectional traffic stream is being transferred across two EX4200 switches, with interface
ge-0/0/12 on EX4200-1 and interface ge0/0/0 on EX4200-2. The traffic stream is between two endpoints which are not
shown in the diagram with IP addresses 5.0.0.10 and 6.0.0.10. The ge-0/0/12 on EX4200-1 is configured as a Layer 3
interface with IP address 20.0.0.15/24.
sFlow is enabled on ge-0/0/12 on EX4200-1 so that the sFlow agent can sample the ingress traffic stream on this
particular interface. As of now, sFlow can only be enabled on Layer 2 or Layer 3 physical interfaces.
Up to four collectors can be configured on each EX Series switch, and each collector can receive the same set of sFlow
data record samples. The sFlow data record samples are UDP packets and the default UDP port is 6343, although this
is configurable. The polling interval is the interval between each port statistic polling update message, which can range
from 0 to 3600 seconds. The sample rate means one out of N packets in the traffic stream will be sampled, and this can
be different for various interfaces. The range of sample rate is from 100 to 1 million.
In an EX Series switch implementation, the sFlow datagram cannot be routed over the management Ethernet
interface (me0) or virtual management interface (vme0). It only can be exported over the network Gigabit Ethernet or
10-Gigabit Ethernet ports using valid route information in the routing table.
The most important thing here is that the switch must have a route in the default global routing table to point to the
next hop via a network port through which it can reach the remote collector’s IP address (in this case, the collector
has the IP address 1.0.0.10). In this example, as shown in Figure 1, a static route is configured on EX4200-1, which
tells the switch that the interface ge0/0/0 on EX4200-3 is the next hop for it to reach the remote collector 1.0.0.10.
root@ex4200-1#
{master:0}
root@ex4200-1>
With the network data traffic stream sending, the sFlow sampling data records and counter statistics record have
been received on the remote collector, capturing the following information via the version 1.1.3 Wireshark tool.
As shown in Figure 2 above, the collector with IP address 1.0.0.10 received the sFlow data records from the sFlow
agent 20.0.0.15 on EX4200-1, and most data records have seven sFlow sampled datagrams bundled. The next step is
to take a closer look at each sFlow data record packet.
As shown in Figure 3, the sampled sFlow record packet that was sent from the sFlow agent EX4200-1 to the sFlow
collector 1.0.0.10 is a UDP packet with the destination port number 6343.
Figure 4 above shows the detailed information for one of the seven flow samples that were bundled together in one
sFlow data record packet sent from the EX Series switch to the collector. It is possible to discern the following about
the network traffic stream that enters the sFlow-enabled interface ge-0/0/12 on EX4200-1:
The IP source address is 6.0.0.10.
The IP destination address is 5.0.0.10.
The DiffServ code point (DSCP) value of the packets in the stream is set to 0x28(EF).
The traffic is UDP traffic type FTP with destination port 21.
In the lab network used in this example (shown in Figure 5), network port ge-0/0/0 on the EX4200-1 is used as a
dedicated management interface that is connected to the management network. To isolate the interface ge-0/0/0
from other network interfaces on the switch, interface ge-0/0/0 is placed in a separate virtual routing instance called
mgnt_net. In this example, two sFlow collectors are sitting in the management network data center, while the third
sFlow collector is connected to EX4200-1 through the regular network port.
sFlow collector
(7.0.0.10)
VRF: mgnt_net
EX4200-1
GE-0/0/7
GE-0/0/0 Network Traffic
GE-0/0/12 Stream
sFlow sampling sFlow enabled
data
EX4200-2
GE-0/0/0
Management
Network
sFlow sampling sFlow sampling
data data
All three sFlow collectors are configured under protocol sFlow on EX4200-1:
root@ex4200-1#
The following configuration places ge-0/0/0 on EX4200-1 into the separate virtual routing instance mgnt_net to
isolate it from other network interfaces on the switch. Static routes are also configured for out-of-band management
for switch EX4200-1.
root@ex4200-1#
root@ex4200-1#
The sFlow agent EX4200-1 needs the routing information in its default routing table to reach the sFlow collectors, so
that it can export the sFlow data records to the collectors through the network interfaces. As shown above, EX4200-
1 can reach the collector 7.0.0.10, since this collector is connected to EX4200-1 through interface ge-0/0/7 which
belongs to the default global routing instance. Hence, there is a route pointing 7.0.0.0/24 subnets in its default global
routing table.
The other collectors, 8.0.0.10 and 1.0.0.10, are connected to EX4200-1 through the “pseudo” management interface
ge-0/0/0 which belongs to a separate virtual routing instance “mgnt_net.” Therefore, EX4200-1 doesn’t have routes
to reach these two collectors in the default global routing table, and the routes only show up in the mgnt_net virtual
routing table.
In order for EX4200-1 to export sFlow data records to collectors 8.0.0.10 and 1.0.0.10 through the “pseudo”
management interface ge-0/0/0, these routes (8.0.0.10/32, 1.0.0.10/32) must be advertised from mgnt_net virtual
routing instance to the default global routing instance.
First, the policy statement must be set up so that the policy statement sflow_collector will advertise two routes
1.0.0.10/32 and 8.0.0.10/32 from virtual routing instance mgnt_net to the default global routing instance.
root@ex4200-1#
Next, the policy statement must be attached to the default global instance:
root@ex4200-1#
A quick review of the routing table shows that two more routes (1.0.0.10/32 and 8.0.0.10/32) have been redistributed
from the mgnt_net routing instance and the outgoing interface is ge-0/0/0. The forwarding table also shows the next
hop to be 30.0.0.13.
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 196 1
After starting traffic between EX4200-1 and EX4200-2, sFlow sampled records are being sent to all three collectors,
which are actually in different virtual routing instances. Figure 6 below shows the captures on collector 7.0.0.10.
A close look at the sFlow sampled data records exported to collector 8.0.0.10 shown in Figure 9 shows that the
network traffic stream which enters the sFlow-enabled interface ge-0/0/12 on EX4200-1 has the following patterns:
The stream’s IP source address is 6.0.0.10.
The stream’s IP destination address is 5.0.0.10.
The DSCP value of the packets in the stream is 0x28(EF).
The traffic is UDP traffic type FTP with destination port 21.
Figure 10 below shows the captured sFlow counter sample record which is exported to collector 8.0.0.10.
Figure 10: Details of the sFlow interface counters sent to collector 8.0.0.10
Summary
The sFlow technology is used for monitoring traffic in data networks containing switches and routers. With the sFlow
implementation on Juniper Networks EX Series Ethernet Switches, sFlow data records and counters can be sampled
and exported to up to four collectors in different virtual routing instances to provide clear visibility into network traffic
patterns.
Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions,
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland
authorized reseller.
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
www.juniper.net
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. All other trademarks, service marks, registered marks, or registered service marks are the property
of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
15