Enterasys Networks 9034313-07 manual Packet Flow Sampling, Counter Sampling, Usage Notes

Packet Flow Sampling

The packet flow sampling mechanism carried out by each sFlow Instance ensures that any packet observed at a Data Source has an equal chance of being sampled, irrespective of the packet flow(s) to which it belongs.

Packet flow sampling is accomplished as follows:

1.When a packet arrives on an interface, the Network Device makes a filtering decision to determine whether the packet should be dropped.

2.If the packet is not filtered (dropped), a destination interface is assigned by the switching/ routing function.

3.At this point, a decision is made on whether or not to sample the packet. The mechanism involves a counter that is decremented with each packet. When the counter reaches zero a sample is taken.

4.When a sample is taken, the counter indicating how many packets to skip before taking the next sample is reset. The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate.

Packet flow sampling results in the generation of Packet Flow Records. A Packet Flow Record contains information about the attributes of a packet flow, including:

•Information on the packet itself — a packet header, packet length, and packet encapsulation.

•Information about the path the packet took through the device, including information relating to the selection of the forwarding path.

Counter Sampling

The primary objective of the counter sampling is to, in an efficient way, periodically export counters associated with Data Sources. A maximum sampling interval is assigned to each sFlow Instance associated with a Data Source.

Counter sampling is accomplished as follows:

1.The sFlow Agent keep a list of counter sources being sampled.

2.When a Packet Flow Sample is generated, the sFlow Agent examines the list of counter sources and adds counters to the sample datagram, least recently sampled first.

Counters are only added to the datagram if the sources are within a short period, 5 seconds say, of failing to meet the required sampling interval.

3.Periodically, say every second, the sFlow Agent examines the list of counter sources and sends any counters that need to be sent to meet the sampling interval requirement.

The set of counters is a fixed set defined in Section 5 of the document entitled “sFlow Version 5” available from sFlow.org (http://www.sflow.org).

Usage Notes

Although the switch hardware has the capability to sample packets on any port, to ensure that CPU utilitization is not compromised, the number of sFlow samplers that can be configured per switch or stack of switches is limited to a maximum of 32. There is no limitation on the number of pollers that can be configured.

Under certain circumstances, the switch will drop packet samples that the sFlow implementation is not able to count and therefore cannot correctly report sample_pool and drops fields of flow samples sent to the sFlow Collector. Under heavy load, this sample loss could be significant and could therefore affect the accuracy of the sampling analysis.

SecureStack C3 Configuration Guide 28-3