Blog :: Configuration

Cumulus Networks sFlow Configuration

scott

I have been working with a number of customers recently who use Cumulus Networks sFlow as a means to monitor network traffic.

Cumulus Networks designs and sells a Linux operating system for industry standard network switches to deliver networking solutions for large data center, cloud computing, and enterprise environments.

Cumulus Networks sFlow

The basic concepts of networking do not change; these skills are essential to designing, automating, operating, and troubleshooting data center networks. Open networking platforms such as Cumulus Linux are an important piece of the automation puzzle, taking networking out of its silo and allowing a combined NetDevOps team to manage network, server, and application resources.

Using Cumulus Networks sFlow exports, the administrators gain additional observation points and visibility into network traffic traversing these switches.

Let’s take a look at how to do the Cumulus Networks sFlow configuration

The first thing to note is that Cumulus Linux presents the switch as a server with a large number of network adapters, an abstraction that will be instantly familiar to anyone with server management experience.

First step is to install and configure the Host sFlow agent.

The following command installs the Host sFlow agent on a Cumulus Linux switch:

sudo apt-get install hsflowd

The sFlow agent requires very little configuration. It automatically monitors all switch ports using the following default settings:

Link Speed

Sampling Rate

Polling Interval
1 Gbit/s 1-in-1,000 30 seconds
10 Gbit/s 1-in-10,000 30 seconds
40 Gbit/s 1-in-40,000 30 seconds
100 Gbit/s 1-in-100,000 60 seconds

Once you have installed the Host sFlow agent, there are a couple of configuration mechanisms available to tell the agent where to send the measurements:

DNS Service Discovery (DNS-SD)

This is the default configuration mechanism for Host sFlow agents.

DNS-SD uses a special type of DNS record (the SRV record) that allow hosts to automatically discover servers.

For example, adding the following line to the site DNS zone file will enable sFlow on all the agents and direct the sFlow exports to an sFlow analyzer (10.0.0.1):

_sflow._udp 300 SRV 0 0 10.0.0.1

No Host sFlow agent-specific configuration is required, as each switch or host will automatically pick up the settings  upon install, when the device is restarted, or if settings on the DNS server are changed.

You can modify the default sampling rates and the polling interval by adding a TXT record to the zone file.

For example, the following TXT record reduces the sampling rate on 10G links to 1-in-2000 and the polling interval to 20 seconds:

_sflow._udp 300 TXT (
"txtvers=1"
"sampling.10G=2000"
"polling=20"
)

We recommend that the polling interval be set to 60 seconds.

Next step is to edit the configuration file

You configure the Host sFlow agent by editing the /etc/hsflowd.conf file.

For example, the following configuration disables DNS-SD, instructs the agent to send sFlow to 10.0.0.1, and reduces the sampling rate on 10G links to 1-in-2000 and the polling interval to 20 seconds:

sflow {
  DNSSD = off
  polling = 20
  sampling.10G = 2000
  collector {
    ip = 10.0.0.1
  }
}

You must restart the Host sFlow agent with the following command in order for configuration changes to take effect:

sudu /etc/init.d/hsflowd restart

All hosts and switches can share the same settings and it is straightforward to use orchestration tools such as Puppet, Chef, etc. to manage the sFlow settings.

Configuration is complete, what do we gain?

Network traffic monitoring using flow technologies offers visibility into communication behaviors, baseline maintenance, and detection of advanced persistent threats. These days, whether the corporate network has been compromised is not a matter of “if,” it is a matter of “when.” Therefore, insight into the traffic on the network, no matter the observation point, gives the administrator the ability to efficiently investigate network intrusions and take corrective actions.

Network traffic intelligence using flow technologies gives administrators access to all of the conversations traversing the network. When security professionals need to go back in time and view a communication pattern, they can find the flows that contain the conversations that they want to investigate.

Do you have the visibility into network traffic moving across your Cumulus switches? Contact our support team if you want to learn more or need help with configurations.

Related

elgin

SD-WAN visibility: key KPIs that enterprises identify

As enterprises seek to expand 5G/LTE or MPLS networks, they must set SLAs. Inside of those SLAs, key performance indicators (KPIs) drive the progression

::
scottr

Using Host Indexing to Investigate IP Addresses

I want to introduce you to a very cool, very powerful search function for investigating IP Addresses. We talk all the time about how

::
scott

How to Detect ICMP Tunneling

Are you aware of any data tunneling that might be occurring in your network? Do you think that your network is totally secure? If

::