5

Click here to load reader

Configuring NetFlow or sFlow on Network Devices

Embed Size (px)

Citation preview

Page 1: Configuring NetFlow or sFlow on Network Devices

Network Traffic Analyzer Configuring NetFlow or sFlow on Network Devices

Revision 1.2.9 - (11-03-2015)

!1

Page 2: Configuring NetFlow or sFlow on Network Devices

Introduction This document explains how to configure network devices such as Switches to send NetFlow or sFlow statistics to a Monitoring Server like BLËSK. Please take a note that commands as explained into this document may vary according to your device version and models.

Enable & Export NetFlow on Cisco IOS Device To ensure that the necessary hardware is enabled, issue the show module command, as follows:

If the NetFlow module is available, you should see something like the above. The following sequence of IOS commands can be used as a model for configuring NetFlow.

In the above example, the ip flow-export destination x.x.x.x is the IP address of the BLËSK monitoring server. The 6343 in the ip flow-export destination command example corresponds to the Local Collector UDP Port number configured for the NetFlow plugin. The flow export source interface will vary, depending on the interface providing the source traffic.

show module all Mod Submodule Model Serial No. Hw Status----+-----------------------+-----------------+------------+----+---------1 Netflow Services Card WS-F4531 JAB062209CG 0.2 Ok

router#enablePassword:*****router#configure terminalrouter-2621(config)#interface FastEthernet 0/1router-2621(config-if)#ip route-cache flowrouter-2621(config-if)#exitrouter-2621(config)#ip flow-export destination x.x.x.x 6343router-2621(config)#ip flow-export source FastEthernet 0/1router-2621(config)#ip flow-export version 5router-2621(config)#ip flow-cache timeout active 1router-2621(config)#ip flow-cache timeout inactive 15router-2621(config)#snmp-server ifindex persistrouter-2621(config)#^Zrouter#write

!2

Page 3: Configuring NetFlow or sFlow on Network Devices

Enable & Export sFlow on Brocade Device The following configuration enables sFlow monitoring of all interfaces on a Brocade FGS switch, sampling packets at 1-in-10, polling counters every 20 seconds and sending the sFlow to an analyzer (10.0.0.5) on UDP port 6343 (the default sFlow port):

Enable & Export sFlow on HP Device The commands bellow only works on the 3500/5400/8200/6200 HP products.

1. Configure a destination:

The above commands will send sFlow to the destination IP x.x.x.x which is the one used by BLËSK.

2. Enable sample rate and polling interval:

You can enable sample rate and polling interval depending of the accuracy of the received packet that you want to get. Use the ‘all’ parameter in sampling and polling parameters to enable sFlow on all interfaces.

Enable & Export sFlow on DELL Device

1. Configure a destination:

The above commands will send sFlow to the destination IP x.x.x.x which is the one used by BLESK.

2. Enable sample rate and polling interval:

The above configure the sampling packets at 1-in-1024, and polling counters every 20 seconds.

fgs(config)# int e 0/1/1 to 0/1/24fgs(config-mif-0/1/1-0/1/24)# sflow forwardingfgs(config-mif-0/1/1-0/1/24)# exitfgs(config)# sflow destination 10.0.0.5 6343fgs(config)# sflow sample 10fgs(config)# sflow polling-interval 20fgs(config)# sflow enable

hp (config)# sflow 2 destination x.x.x.x 6343

hp (config)# sflow 2 sampling all 10hp (config)# sflow 2 polling all 20

dell (config)# sflow 1 destination x.x.x.xdell (config)# sflow 1 destination owner <owner_name> timeout 4294967295

dell (config)# sflow 1 sampling ethernet 1/g1-1/g32 1024dell (config)# sflow 1 polling ethernet 1/g1-1/g32 20

!3

Page 4: Configuring NetFlow or sFlow on Network Devices

Enable & Export sFlow on a Force 10 Device

1. The following commands configure a Force10 switch (10.0.0.245), sampling packets at 1-in-512, polling counters every 30 seconds and sending the sFlow to an analyzer (10.0.0.50) over UDP using the default sFlow port (6343):

2. Then for each interface:

3. You can also use the following command to list the configuration settings:

Enable & Export sFlow on FortiGate appliances The recent FortiOS 4.0 MR2 release adds sFlow support to Fortinet's FortiGate® appliances. The following commands configure a FortiGate to sample packets at 1-in-10, poll counters every 20 seconds, and send sFlow to an analyzer (10.0.0.35) over UDP using the default sFlow port (6343):

Then for each interface:

Configure sFlow monitoring on all interfaces on the switch for full visibility. Packet sampling is implemented in hardware so all the interfaces can be monitored with very little overhead.

config> sflow collector 10.0.0.50 agent-addr 10.0.0.245config> sflow sample-rate 512config> sflow polling 30config> sflow enable

interface> sflow enable

show sflow

config system sflow set collectorip 10.0.0.35 set collectorport 6343end

config sys interface edit set sflow-sampler enable set sample-rate 10 set sample-direction both set polling-interval 20next end

!4

Page 5: Configuring NetFlow or sFlow on Network Devices

Changing the Polling Interval The polling interval defines how often sFlow byte and packet counter data for a port are sent to the sFlow collec-tor(s). If multiple ports are enabled for sFlow, the switch device staggers transmission of the counter data to smooth performance. For example, if sFlow is enabled on two ports and the polling interval is 20 seconds, the switch device sends counter data every ten seconds.

The counter data for one of the ports are sent after ten seconds, and counter data for the other port are sent after an additional ten seconds. Ten seconds later, new counter data for the first port are sent. Similarly, if sFlow is enabled on five ports and the polling interval is 20 seconds, the device sends counter data every four seconds.

The default polling interval is 20 seconds. You can change the interval to a value from 1 to any higher value. The interval value applies to all interfaces on which sFlow is enabled. If you set the polling interval to 0, counter data sampling is disabled.

Changing the Sampling Rate The sampling rate is the average ratio of the number of packets incoming on an sFlow-enabled port, to the num-ber of flow samples taken from those packets. You can change the default (global) sampling rate. You also can change the rate on an individual port, overriding the default sampling rate of 512. With a sampling rate of 512, on average, one in every 512 packets forwarded on an interface is sampled.

Configuration Considerations The sampling rate is a fraction in the form 1/N, meaning that, on average, one out of every N packets will be sampled. The sFlow sample command at the global level or port level specifies N, the denominator of the frac-tion.

Thus a higher number for the denominator means a lower sampling rate since fewer packets are sampled. Like-wise, a lower number for the denominator means a higher sampling rate because more packets are sampled. For example, if you change the denominator from 512 to 128, the sampling rate increases because four times as many packets will be sampled.

The software rounds the value you enter to the next higher odd power of 2. This value becomes the actual default sampling rate and is one of the following.

• 2 • 8 • 32 • 128 • 512 • 2048 • 8192 • 32768 • 131072 • 524288 • 2097152 • 8388608 • 33554432 • 134217728 • 536870912 • 2147483648

For example, if the configured sampling rate is 1000, then the actual rate is 2048 and 1 in 2048 packets are sam-pled by the hardware.

!5