Largely unnoticed in the move to merchant-silicon-based hardware is the industry standard sFlow instrumentation built into that hardware (Cisco Nexus 9k/3k, Arista, Juniper QFX/EX, Dell, HPE, Brocade, Cumulus, Big Switch, Pica8, Quanta, etc. – visit sFlow.org for a complete list). Chances are you have, or soon will have, sFlow-capable network equipment in your network.
Multi-vendor traffic monitoring is now a base feature of the network switches and no longer requires the cost and complexity of taps, mirror/SPAN ports, and add-on monitoring hardware. A little time spent familiarizing yourself with sFlow pays off quickly. This article discusses software-defined networking (SDN) use cases that are made possible by streaming sFlow telemetry and describes some simple steps to get started.
Telemetry & SDN
Analytics-driven SDN is poised to disrupt the router market, replacing expensive, custom hardware with commodity switches. Large, expensive routers have been typically deployed to handle the full Internet routing table currently consisting of nearly 600,000 prefixes.
Last year, David Barroso gave a talk showing that 99% of Spotify’s Internet traffic was contained in only 20,000 prefixes. He started the SDN Internet Router project, which combines BGP routing information with sFlow telemetry to determine the active prefixes and program inexpensive white-box hardware to handle their peering. In December, Arista EOS – BGP Selective Route Download was released, delivering similar capabilities. The White box Internet router PoC used a white box switch running Cumulus Linux to demonstrate the potential for using real-time sFlow analytics to more efficiently manage hardware forwarding tables and potentially replace transit routers.
Automated traffic engineering is another use case for sFlow telemetry: the Tata Consultancy whitepaper, “Actionable Intelligence in the SDN Ecosystem: Optimizing Network Traffic through FRSA,” describes a solution for dynamically optimizing WAN paths using OpenDaylight. CORD: Open-source spine-leaf Fabric demonstration by ON.lab, AT&T, ONF , Dell, and InMon at the 2015 Open Networking Summit used ONOS to load balance traffic in the data center.
The Real-time SDN Analytics for DDoS mitigation demonstration by Brocade and InMon won the 2014 SDN Idol competition, showing how ISPs can generate revenue from their existing equipment by combining sFlow telemetry with OpenDaylight to deliver DDoS mitigation as a service.
In the network virtualization space, Enabling extensibility in OVN by Huawei and IBM at the 2015 Fall Open vSwitch conference demonstrated sFlow telemetry and the OVN controller driving dynamic service chaining actions.
Commercial impact of sFlow-based telemetry in SDN/NFV solutions will increase in 2016 as the solutions demonstrated in 2015 are released as products and merchant silicon-based switches continue to displace legacy hardware. Merchant silicon vendors are helping to accelerate this trend by enhancing visibility and control capabilities to support SDN. For example, Broadcom has published sFlow extensions (sFlow Broadcom Switch ASIC Table Utilization Structures and sFlow Broadcom Peak Buffer Utilization Structures) that expose capabilities of the BroadView instrumentation built into the popular Trident II and Tomahawk ASICs, augmenting the sFlow telemetry to provide visibility into the packet forwarding pipeline.
This year, invest some time to learn how to use the sFlow instrumentation built into your network equipment. You will quickly find applications for sFlow telemetry to justify the effort.
Enable sFlow Everywhere
The instrumentation is built into the switch ASICs and provides line rate monitoring at 1, 10, 25, 40, 50, and 100G. Enable sFlow on every port on every switch in the network for full visibility. Configuration is simple: Designate a server to receive the sFlow telemetry stream and configure each of the switches to send sFlow to the server. Minimal configuration is required on the switches: a polling interval for interface counters and a packet sampling rate. Start with the default 30 second polling interval and select sampling rates based on port speed using the formula, sampling rate = gigabits per second x 1000. For example, use a sampling rate setting of 10,000 for a 10G port.
sflowtool & Wireshark
Install sflowtool on the server. Sflowtool prints out the contents of the sFlow telemetry stream, verifies that sFlow is being received, and lets you see the raw data being sent. If you like developing your own solutions, sflowtool can be used with scripting languages like Python or Perl to roll your own analytics.
Use sflowtool to extract packet headers from the sFlow stream and convert them into standard PCAP format. For example, to launch Wireshark: wireshark -k -i <(sflowtool -t)
Wireshark’s interactive filtering and browsing capabilities, combined with an extensive library of protocol decodes, provides the detail needed to diagnose network problems using packet headers captured by switches using sFlow. The protocol analysis capabilities of Wireshark complement the network-wide visibility provided by an sFlow analyzer, extracting additional details that are useful for troubleshooting.
Selecting an sFlow Analyzer
Experimenting with sflowtool and Wireshark is a good way to familiarize yourself with the rich set of data in the sFlow telemetry stream. However, the information is delivered in a raw form and needs processing to extract maximum value.
The sFlow architecture provides cost effective, real-time, network-wide visibility by shifting intelligence from network hardware to external software. This “software-defined analytics” approach means that selection of sFlow analysis software is the key to extracting value from the measurements in much the same way that an SDN controller is required to derive value from OpenFlow. This shift of analytics from the devices to external software creates a rich ecosystem of sFlow analytics tools targeting different use cases. A number of open-source and commercial sFlow analyzers are listed on sFlow.org.