Applies To:
Show VersionsBIG-IP AAM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP GTM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP Analytics
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP Link Controller
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP LTM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP PEM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP AFM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Monitoring BIG-IP System Traffic with sFlow
Overview: Configuring network monitoring with sFlow
sFlow is an industry-standard technology for monitoring high-speed switched networks. You can configure the BIG-IP® system to poll internal data sources and send data samples to an sFlow receiver. You can then use the collected data to analyze the traffic that traverses the BIG-IP system. This analysis can help you understand traffic patterns and system usage for capacity planning and charge back, troubleshoot network and application issues, and evaluate the effectiveness of your security policies.
Task summary
Perform these tasks to configure performance monitoring of the BIG-IP® system using an sFlow device.Adding a performance monitoring sFlow receiver
Setting global sFlow polling intervals and sampling rates for data sources
Setting the sFlow polling interval and sampling rate for a VLAN
Setting the sFlow polling interval and sampling rate for a profile
Setting the sFlow polling interval for an interface
Viewing sFlow data sources, polling intervals, and sampling rates
sFlow receiver settings
This table names and describes the sFlow receiver settings in the Configuration utility.
Control | Default | Description |
---|---|---|
Name | no default | Specifies a name for the sFlow receiver. |
Address | no default | Specifies the IP address on which the sFlow receiver listens for UDP datagrams. |
Port | 6343 | Specifies the port on which the sFlow receiver listens for UDP datagrams. The default value is the standard sFlow port. |
Maximum Datagram Size | 1400 | Specifies the maximum size in bytes of the UDP datagram the sFlow receiver accepts. |
State | Disabled | Specifies whether the sFlow receiver is enabled or disabled. |
sFlow global settings
This table names and describes the sFlow global settings in the Configuration utility.
Control | Default | Description |
---|---|---|
Name | Based on the resource you select. | Specifies the type of resource for which you are setting the global sFlow polling interval or sampling rate, for example, interface or vlan. |
Polling Interval | 10 | Specifies the maximum interval in seconds between polling by the sFlow agent of
monitored data sources on the BIG-IP system.
Important: When multiple sFlow
receivers are configured on the BIG-IP®system, only the lowest,
non-zero Polling Interval setting is used for polling for all
configured sFlow receivers. Therefore, if you delete the sFlow receiver with the lowest,
non-zero poll interval, the system computes a new poll interval, based on the configured
sFlow receivers, and uses that polling interval for all configured sFlow
receivers.
|
Sampling Rate | 1024 | Specifies the ratio of packets observed to the number of samples you want the BIG-IP system to generate. For example, a sampling rate of 2000 specifies that one sample will be randomly generated for every 2000 packets observed. |
sFlow counters and data
This table names and categorizes the sFlow counters and informational data that the BIG-IP® system sends to sFlow receivers. Note that the resource type corresponds to the value in the Name column on the sFlow global settings screen. The table also includes the source of the data and an example value.
Counter name (resource type) | Source | Example value |
---|---|---|
ifIndex (interface) | interface_stat.if_index | 64 (You can map this value to an interface name by using snmpwalk to query ifTable, for example, snmpwalk -v 2c -c public localhost ifTable.) |
ifIndex (vlan) | ifc_stats.if_index | 112 (You can map this value to a VLAN name by using snmpwalk to query ifTable, for example, snmpwalk -v 2c -c public localhost ifTable.) |
networkType (interface) | Enumeration derived from the IANAifType-MIB (http://www.iana.org/assignments/ianaiftype-mib) | 6 |
networkType (vlan) | Enumeration derived from the IANAifType-MIB (http://www.iana.org/assignments/ianaiftype-mib) | 6 |
ifDirection (interface) | Derived from MAU MIB (RFC 2668) 0 = unknown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out | 1 |
ifDirection (vlan) | Derived from MAU MIB (RFC 2668) 0 = unknown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out | 1 |
ifStatus (interface) | Bit field with the following bits assigned: bit 0 = ifAdminStatus (0 = down, 1 = up), bit 1 = ifOperStatus (0 = down, 1 = up) | 3 |
ifStatus (vlan) | Bit field with the following bits assigned: bit 0 = ifAdminStatus (0 = down, 1 = up), bit 1 = ifOperStatus (0 = down, 1 = up) | 3 |
ifInOctets (interface) | interface_stat.counters.bytes_in | 9501109483 |
ifInOctets (vlan) | ifc_stats.hc_in_octets | 107777746 |
ifInUcastPkts (interface) | interface_stat.counters.pkts_in - interface_stat.counters.mcast_in - interface_stat.rx_broadcast | 54237438 |
ifInUcastPkts (vlan) | ifc_stats.hc_in_ucast_pkts | 202314 |
ifInMulticastPkts (interface) | interface_stat.counters.mcast_in | 72 |
ifInMulticastPkts (vlan) | ifc_stats.hc_in_multicast_pkts | 343987 |
ifInBroadcastPkts (interface) | interface_stat.rx_broadcast | 211 |
ifInBroadcastPkts (vlan) | ifc_stats.hc_in_broadcast_pkts | 234 |
ifInDiscards (interface) | interface_stat.counters.drops_in | 13 |
ifInDiscards (vlan) | ifc_stats.in_discards | 13 |
ifInErrors (interface) | interface_stat.counters.errors_in | 0 |
ifInErrors (vlan) | ifc_stats.in_errors | 0 |
ifInUnknownProtos (interface) | Unknown counter | 4294967295 |
ifInUnknownProtos (vlan) | ifc_stats.in_unknown_protos | 0 |
ifOutOctets (interface) | interface_stat.counters.bytes_out | 9655448619 |
ifOutOctets (vlan) | ifc_stats.hc_out_octets | 107777746 |
ifOutUcastPkts (interface) | interface_stat.counters.pkts_out - interface_stat.counters.mcast_out - interface_stat.tx_broadcast | 10838396 |
ifOutUcastPkts (vlan) | ifc_stats.hc_out_ucast_pkts | 202314 |
ifOutMulticastPkts (interface) | interface_stat.counters.mcast_out | 72 |
ifOutMulticastPkts (vlan) | ifc_stats.hc_out_multicast_pkts | 343987 |
ifOutBroadcastPkts (interface) | interface_stat.tx_broadcast | 211 |
ifOutBroadcastPkts (vlan) | ifc_stats.hc_out_broadcast_pkts | 234 |
ifOutDiscards (interface) | interface_stat.counters.drops_out | 8 |
ifOutDiscards (vlan) | ifc_stats.out_discards | 13 |
ifOutErrors (interface) | interface_stat.counters.errors_out | 0 |
ifOutErrors (vlan) | ifc_stats.out_errors | 0 |
ifPromiscuousMode (interface) | Always set to 2 (false) | 2 |
ifPromiscuousMode (vlan) | Always set to 2 (false) | 2 |
ifSpeed (interface) | An estimate of the current bandwidth of the interface in bits per second | 1000000000 |
ifSpeed (vlan) | Unknown gauge | 0 |
5s_cpu (system) | cpu_info_stat.five_sec_avg.user +cpu_info_stat.five_sec_avg.nice +cpu_info_stat.five_sec_avg.system +cpu_info_stat.five_sec_avg.iowait +cpu_info_stat.five_sec_avg.irq +cpu_info_stat.five_sec_avg.softirq +cpu_info_stat.five_sec_avg.stolen | (This value is the average system CPU usage in the last five seconds.) |
1m_cpu (system) | cpu_info_stat.one_min_avg.user + cpu_info_stat.one_min_avg.nice + cpu_info_stat.one_min_avg.system + cpu_info_stat.one_min_avg.iowait + cpu_info_stat.one_min_avg.irq + cpu_info_stat.one_min_avg.softirq + cpu_info_stat.one_min_avg.stolen | (This value is the average system CPU usage in the last one minute.) |
5m_cpu (system) | cpu_info_stat.five_min_avg.user +cpu_info_stat.five_min_avg.nice +cpu_info_stat.five_min_avg.system +cpu_info_stat.five_min_avg.iowait +cpu_info_stat.five_min_avg.irq +cpu_info_stat.five_min_avg.softirq +cpu_info_stat.five_min_avg.stolen | (This value is the average system CPU usage in the last five minutes.) |
total_memory_bytes (system) | tmm_stat.memory_total | 5561647104 (This value is the total tmm memory in bytes.) |
free_memory_bytes (system) | tmm_stat.memory_total - tmm_stat.memory_used (free tmm memory in bytes) | 5363754680 (This value is the free tmm memory in bytes.) |
method_option_count (http) | [profile_http_stat.options_reqs] | 100 |
method_get_count (http) | [profile_http_stat.get_reqs] | 100 |
method_head_count (http) | [profile_http_stat.head_reqs] | 100 |
method_post_count (http) | [profile_http_stat.post_reqs] | 100 |
method_put_count http) | [profile_http_stat.put_reqs] | 100 |
method_delete_count (http) | [profile_http_stat.delete_reqs] | 100 |
method_trace_count (http) | [profile_http_stat.trace_reqs] | 100 |
method_connect_count (http) | [profile_http_stat.connect_reqs] | 100 |
method_other_count (http) | [counters.number_reqs - (counters.options_reqs + counters.get_reqs + counters.head_reqs + counters.post_reqs + counters.put_reqs + counters.delete_reqs + counters.trace_reqs + counters.connect_reqs )] | 20 |
status_1XX_count (http) | [profile_http_stat.resp_1xx.cnt] | 100 |
status_2XX_count (http) | [profile_http_stat. resp_2xx_cnt] | 80 |
status_3XX_count (http) | [profile_http_stat. resp_3xx_cnt] | 5 |
status_4XX_count (http) | [profile_http_stat. resp_4xx_cnt] | 1 |
status_5XX_count (http) | [profile_http_stat. resp_5xx_cnt] | 2 |
status_other_count (http) | [profile_http_stat.resp_other] | 100 |
sFlow HTTP Request sampling data types
This table names and categorizes the sFlow HTTP Request sampling data types that the BIG-IP® system sends to sFlow receivers.
Data type | Description |
---|---|
sampleType_tag | A numeric value that indicates the type of traffic being sampled. |
sampleType | The name of the type of traffic being sampled. |
sampleSequenceNo | An integer that increments with each flow sample generated per sourceid. |
sourceId | A decimal representation in which the type of sFlow data
source is indicated by one of these bytes:
Note: Bytes 1-3 contain the relevant index value.
On the BIG-IP system, this is the vs-index (for virtual servers)
or if-index (for
interfaces/vlans).
|
meanSkipCount | The configured HTTP request sampling rate. |
samplePool | The total number of packets that could have been sampled, that is, the number of packets skipped by the sampling process, plus the total number of samples. |
dropEvents | The number of times the BIG-IP system detected that a packet marked to be sampled was dropped due to lack of resources. |
inputPort | The if-index of the VLAN that the sampled packet was received on. The value of this field in combination with outputPort indicates the service direction. |
outputPort | The if-index of the VLAN that the sampled packet was sent out
on. The value of this field in combination with
inPort indicates the service direction.
Note: 1073741823 is used when the VLAN ID is
unknown.
|
flowBlock_tag | An sFlow standard structure ID as defined here: http://www.slfow.org/developers/steructurs.php. The value is in this format: Enterprise:Format, for example, 0:1. |
extendedType | A string representation of the flowBlock_tag. |
proxy_socket4_ip_protocol | The IP protocol used for communications between the BIG-IP system and the pool member that handled the traffic. The value is an integer, for example, TCP =6 and UDP =17. |
proxy_socket4_local_ip | The internal IP address of the BIG-IP system. |
proxy_socket4_remote_ip | The IP address of the pool member that handled the traffic. |
proxy_socket4_local_port | The internal port on the BIG-IP system. |
proxy_socket4_remote_port | The internal port of the pool member that handled the traffic. |
socket4_ip_protocol | The IP protocol used for communications between the BIG-IP system and the client represented by an integer, for example, TCP =6 and UDP=17. |
socket4_local_ip | The external IP address the BIG-IP system uses to communicate with the client. |
socket4_remote_ip | The IP address of the client. |
socket4_local_port | The external port the BIG-IP system uses to communicate with the client. |
socket4_remote_port | The port of the client. |
flowSampleType | The type of traffic being sampled. |
http_method | The HTTP method in the request header that was sampled. |
http_protocol | The version of the HTTP protocol in the request header that was sampled. |
http_uri | The URI in the request header that was sampled. |
http_host | The host value in the request header that was sampled. |
http_referrer | The referrer value in the request header that was sampled. |
http_useragent | The User-Agent value in the request header that was sampled. |
http_xff | The X-Forwarded-For value in the request header that was sampled. |
http_authuser | The identity of the user in the request header as stated in RFC 1413. |
http_mime-type | The Mime-Type of response sent to the client. |
http_req_bytes | The length of the request that was sampled in bytes. |
http_bytes | The length of the response that was sampled in bytes. |
http_duration_uS | The duration of the communication between the BIG-IP system and the HTTP server/pool member in microseconds. |
http_status | The HTTP status code in the response that was sampled. |
startDatagram ================= datagramSourceIP 10.0.0.0 datagramSize 376 unixSecondsUTC 1370017719 datagramVersion 5 agentSubId 3 agent 192.27.88.20 packetSequenceNo 16 sysUpTime 1557816000 samplesInPacket 1 startSample ------------------- sampleType_tag 0:1 sampleType FLOWSAMPLE sampleSequenceNo 1 sourceId 3:2 meanSkipCount 1 samplePool 1 dropEvents 0 inputPort 352 outputPort 1073741823 flowBlock_tag 0:2102 extendedType proxy_socket4 proxy_socket4_ip_protocol 6 proxy_socket4_local_ip 10.1.0.0 proxy_socket4_remote_ip 10.1.0.0 proxy_socket4_local_port 40451 proxy_socket4_remote_port 80 flowBlock_tag 0:2100 extendedType socket4 socket4_ip_protocol 6 socket4_local_ip 10.0.0.0 socket4_remote_ip 10.0.0.0 socket4_local_port 80 socket4_remote_port 40451 flowBlock_tag 0:2206 flowSampleType http http_method 2 http_protocol 1001 http_uri /index.html http_host 10.10.10.250 http_referrer http://asdfasdfasdf.asdf http_useragent curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 http_authuser Aladdin http_mimetype text/html; charset=UTF-8 http_request_bytes 340 http_bytes 8778 http_duration_uS 1930 http_status 200 endSample ---------------------- endDatagram ======================
sFlow VLAN sampling data types
This table names and categorizes the sFlow VLAN sampling data types that the BIG-IP® system sends to sFlow receivers.
Data type | Description |
---|---|
sampleType_tag | A numeric value for the type of traffic being sampled. |
sampleType | The name of the type of traffic being sampled. |
sampleSequenceNo | An integer that increments with each flow sample generated per sourceid. |
sourceId | A decimal value in which the type of sFlow data source is
indicated by one of the bytes:
Note: Bytes 1-3 contain the relevant index value.
On the BIG-IP system, this is the vs-index (for virtual servers)
and the if-index (for
interfaces/VLANs).
|
meanSkipCount | The configured packet sampling rate. |
samplePool | The total number of packets that could have been sampled, that is, the number of packets skipped by the sampling process, plus the total number of samples. |
dropEvents | The number of times the BIG-IP system detected that a packet marked to be sampled was dropped due to lack of resources. |
inputPort | The if-index of the VLAN that the sampled packet was received on. The value of this field in combination with outputPort indicates the service direction. |
outputPort | The if-index of the VLAN that the sampled packet was sent out
on. The value of this field in combination with
inPort indicates the service direction.
Note: 1073741823 is used when the VLAN ID is
unknown.
|
flowBlock_tag | An sFlow standard structure ID as defined here: http://www.slfow.org/developers/steructurs.php, and in this format: Enterprise:Format, for example, 0:1. |
flowSampleType | The type of traffic being sampled. |
headerProtocol | A numeric value for the type of header. |
sampledPacketSize | The size in bytes of the packet that was sampled. |
strippedBytes | The number of octets removed from the packet before extracting the header octets. |
headerLen | The length of the header in bytes. |
headerBytes | The exact bytes extracted from the header. |
IPSize | The size of the packet that was sampled including the IP header. |
ip.tot_len | The original length of the packet before sampling. |
srcIP | The source IP address of the sampled packet. |
dstIP | The destination IP address of the sampled packet. |
IPProtocol | The protocol used to send the packet. |
IPTOS | A numeric value representing the type of service. |
IPTTL | The time to live of the IP address in the header of the packet that was sampled. |
TCPSrcPort or UDPSrcPort | The port the client uses for communication with the BIG-IP system. |
TCPDstPort or UDPDstPort | The port the BIG-IP system uses for communication with the client. |
TCPFlags | A decimal representation of the TCP header flags in the
sampled packet.
Note: This value is sent only when the
sampled traffic is TCP.
|
extendedType | A string representation of the flowBlock_tag. |
in_vlan | A numeric ID for the 8021.1Q VLAN ID of the incoming frame. |
in_priority | A numeric value that represents the 802.1p priority of the incoming frame. |
out_vlan | A numeric ID for the 8021.1Q VLAN ID of the outgoing frame. |
out_priority | A numeric value that represents the 802.1p priority of the outgoing frame. |
startDatagram ============================================= datagramSourceIP 10.0.0.0 datagramSize 180 unixSecondsUTC 1370016982 datagramVersion 5 agentSubId 2 agent 192.27.88.20 packetSequenceNo 1 sysUpTime 1557079000 samplesInPacket 1 startSample ----------------------------------------------- sampleType_tag 0:1 sampleType FLOWSAMPLE sampleSequenceNo 1 sourceId 0:352 meanSkipCount 128 samplePool 38 dropEvents 0 inputPort 352 outputPort 1073741823 flowBlock_tag 0:1 flowSampleType HEADER headerProtocol 1 sampledPacketSize 66 strippedBytes 0 headerLen 64 headerBytes 00-01-D7-E6-8A-03-00-50-56-01-10-0E-08-00-45-00-00- 34-D8-A4-40-00-40-06-39-10-0A-0A-0A-02-0A-0A-0A-FA-9D-77-00-50- 33-97-00-00-EA-00-5D-80-80-10-00-FA-AF-B0-00-00-01-01-08-0A-44- 4B-27-FA-67-51 dstMAC 0001d7e68a03 srcMAC 00505601100e IPSize 52 ip.tot_len 52 srcIP 10.0.0.0 dstIP 10.0.0.1 IPProtocol 6 IPTOS 0 IPTTL 64 TCPSrcPort 40311 TCPDstPort 80 TCPFlags 16 flowBlock_tag 0:1001 extendedType SWITCH in_vlan 3195 in_priority 0 out_vlan 0 out_priority 0 endSample --------------------------------------------------- endDatagram =================================================
Implementation result
You now have an implementation in which the BIG-IP® system periodically sends data samples to an sFlow receiver, and you can use the collected data to analyze the performance of the BIG-IP system.