Re: sampling of incoming/outgoing traffic

From: Jay A. Kreibich <jak@uiuc.edu>
Date: 11/17/05
Message-ID: <20051117210254.GA26941@uiuc.edu>

On Thu, Nov 17, 2005 at 12:17:54PM +0100, Juraj Sucik scratched on the wall:
> Hello,
>
> I've read a specification of Sflow (RFC 3176), but it is not clear if
> the inbound, outbound or both direction traffic is sampled.

  For any given system, traffic should only be sampled once as
  defined by the sFlow concept of a "flow." The RFC is not specific
  about if this is inbound or outbound for a given interface-- I think
  the authors assumed sFlow was on for all interfaces or it wasn't.
  That kind of leaves per-interface semantics up to the implementation.
  Force 10 is nice enough to keep all their manuals behind closed
  doors, so I wasn't able to do any additional research.
 
  In general, however, the RFC seems to indicate this sampling
  should happen in the forwarding engine before the traffic is passed
  to the outbound interfaces. In other words, we need to know that A)
  the traffic WILL be forwarded (or at least attempted), and B) what
  interface we are going to forward it to, but we don't actually have
  to outbound queue the traffic before the sample is taken:

  RFC 3176, Section 2.1, PP 2:

        Sampling flows is accomplished as follows: When a packet
        arrives on an interface, a filtering decision is made that
        determines whether the packet should be dropped. If the
        packet is not filtered a destination interface is assigned
        by the switching/routing function. At this point a
        decision is made on whether or not to sample the packet.

  In fact, the paragraph before this warns that outbound interfaces are
  likely a bad place to do sampling, because broadcast and multicast
  traffic may have multiple outbound interfaces, which would
  statistically increase the likelihood of broad/multi-cast traffic
  being sampled (and that's a no-no, according to the spec).

  This isn't to say that Force10's system is wrong-- they might define
  per-interface semantics as outbound, but still do the (correct)
  sampling within their forwarding engine. To be honest, I'd have my
  doubts, however. If you need specific information on the flow
  selection system, I suggest you contact a sales engineer.

> I have enabled sflow on one of interfaces (lets' call it interface A) in
> Force10 E1200 router, but it seems router samples only outgoing traffic
> from that interface. Do I need to enable sflow on the other interfaces
> as well if I want to have packets incoming to interface A sampled
> (although sampled on a different interface)?

  It would appear so, in this case. The sFlow concept of a flow and
  how they are sampled doesn't force an inbound/outbound situation (you
  could, in theory, build an sFlow engine that sampled every flow that
  "involved" interface A, rather than was inbound OR outbound for it), but
  most hardware systems are likely to attach a direction to enabling
  sFlow on specific interfaces.

   -j

-- 
                     Jay A. Kreibich | CommTech, Emrg Net Tech Svcs
                        jak@uiuc.edu | Campus IT & Edu Svcs
          <http://www.uiuc.edu/~jak> | University of Illinois at U/C
Received on Thu Nov 17 13:05:35 2005

This archive was generated by hypermail 2.1.8 : 11/17/05 PST