Manual Chapter : Monitoring BIG-IP System Traffic with sFlow

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.1, 12.1.0

BIG-IP APM

  • 12.1.1, 12.1.0

BIG-IP Link Controller

  • 12.1.1, 12.1.0

BIG-IP Analytics

  • 12.1.1, 12.1.0

BIG-IP LTM

  • 12.1.1, 12.1.0

BIG-IP PEM

  • 12.1.1, 12.1.0

BIG-IP AFM

  • 12.1.1, 12.1.0

BIG-IP DNS

  • 12.1.1, 12.1.0

BIG-IP ASM

  • 12.1.1, 12.1.0
Manual Chapter

Monitoring BIG-IP System Traffic with sFlow

Overview: Configuring network monitoring with sFlow

sFlow is an industry-standard technology for monitoring high-speed switched networks. You can configure the BIG-IP® system to poll internal data sources and send data samples to an sFlow receiver. You can then use the collected data to analyze the traffic that traverses the BIG-IP system. This analysis can help you understand traffic patterns and system usage for capacity planning and charge back, troubleshoot network and application issues, and evaluate the effectiveness of your security policies.

Task summary

Perform these tasks to configure performance monitoring of the BIG-IP® system using an sFlow device.

Adding a performance monitoring sFlow receiver

Gather the IP addresses of the sFlow receivers that you want to add to the BIG-IP® system configuration. You can use IPv4 and IPv6 addresses.
Note: You can add an sFlow receiver to the BIG-IP system only if you are assigned either the Resource Administrator or Administrator user role. 
Add an sFlow receiver to the BIG-IP system when you want to use the receiver to monitor system performance.
  1. On the Main tab, click System > sFlow > Receiver List .
    The sFlow screen opens.
  2. Click Add.
    The New Receiver properties screen opens.
  3. In the Name field, type a name for the sFlow receiver.
  4. In the Address field, type the IPv4 or IPv6 address on which the sFlow receiver listens for UDP datagrams.
    Note: The IP address of the sFlow receiver must be reachable from a self IP address on the BIG-IP system.
  5. From the State list, select Enabled.
  6. Click Finished.

Setting global sFlow polling intervals and sampling rates for data sources

You can configure the global sFlow polling intervals and sampling rates for data sources on the BIG-IP® system, only if you are assigned either the Resource Administrator or Administrator user role.
You can configure separate sFlow global polling intervals for the system, VLANs, interfaces, and HTTP profiles, and separate sFlow global sampling rates for VLANs and HTTP profiles.
  1. On the Main tab, click System > sFlow > Global Settings .
    The sFlow screen opens.
  2. In the Name column, click a type of data source.
    The properties screen for that type of data source opens.
  3. In the Polling Interval field, type the maximum interval in seconds between polling by the sFlow agent.
  4. In the Sampling Rate field, type the ratio of packets observed to the number of samples you want the BIG-IP system to generate.
    For example, a sampling rate of 2000 specifies that one sample will be randomly generated for every 2000 packets observed.
  5. Click Update.
  6. Repeat this procedure to set the global polling interval and sampling rate for the other types of data sources.
    Note: You cannot configure sampling rates for the system or interface data sources.

Setting the sFlow polling interval and sampling rate for a VLAN

You can configure the sFlow polling interval and sampling rate for a specific VLAN, only if you are assigned either the Resource Administrator or Administrator user role.
Change the sFlow settings for a specific VLAN when you want the traffic flowing through the VLAN to be sampled at a different rate than the global sFlow settings on the BIG-IP® system.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Select a VLAN in the Name column.
    The New VLAN screen opens.
  3. From the Polling Interval list, select Specify, and type the maximum interval in seconds between polling by the sFlow agent of this VLAN.
  4. From the Sampling Rate list, select Specify, and type the ratio of packets observed at this VLAN to the samples you want the BIG-IP system to generate.
    For example, a sampling rate of 2000 specifies that 1 sample will be randomly generated for every 2000 packets observed.
  5. Click Update.

Setting the sFlow polling interval and sampling rate for a profile

You can configure the sFlow polling interval and sampling rate for an HTTP profile, only if you are assigned either the Resource Administrator or Administrator user role.
Change the sFlow settings for a specific HTTP profile when you want the traffic flowing through the virtual server (to which the profile is assigned) to be sampled at a different rate than the global sFlow settings on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click the name of a profile.
  3. From the Polling Interval list, select Specify, and type the maximum interval in seconds between polling by the s Flow agent of this profile.
  4. From the Sampling Rate list, select Specify, and type the ratio of packets observed at the virtual server associated with this profile to the samples you want the BIG-IP system to generate.
    For example, a sampling rate of 2000 specifies that one sample will be randomly generated for every 2000 packets observed.
  5. Click Update.

Setting the sFlow polling interval for an interface

You can configure the sFlow polling interval for a specific interface, only if you are assigned either the Resource Administrator or Administrator user role.
Change the sFlow settings for a specific interface when you want the traffic flowing through the interface to be sampled at a different rate than the global sFlow settings on the BIG-IP® system.
  1. On the Main tab, click Network > Interfaces > Interface List .
    The Interface List screen displays the list of interfaces on the system.
  2. In the Name column, click an interface number.
    This displays the properties of the interface.
  3. From the Polling Interval list, select Specify, and type the maximum interval in seconds between polling by the sFlow agent of this interface.
  4. Click the Update button.

Viewing sFlow data sources, polling intervals, and sampling rates

You can view details about the data sources that the BIG-IP® system can poll for information to send to your sFlow receivers. For example, you can view current polling intervals and sampling rates, or determine if you want to add or remove specific data sources.
  1. On the Main tab, click System > sFlow > Data Sources .
    The sFlow Data Sources HTTP screen opens. You can view information about the virtual server that is the data source.
  2. On the menu bar, click Data Sources, and select Interfaces.
    The sFlow Data Sources HTTP screen opens. You can view information about the interface that is the sFlow data source.
  3. On the menu bar, click Data Sources, and select System.
    The sFlow Data Sources HTTP screen opens. You can view information about the system that is the sFlow data source.
  4. On the menu bar, click Data Sources and select VLAN.
    =The sFlow Data Sources HTTP screen opens. You can view information about the VLAN that is the sFlow data source.

sFlow receiver settings

This table names and describes the sFlow receiver settings in the Configuration utility.

Control Default Description
Name no default Specifies a name for the sFlow receiver.
Address no default Specifies the IP address on which the sFlow receiver listens for UDP datagrams.
Port 6343 Specifies the port on which the sFlow receiver listens for UDP datagrams. The default value is the standard sFlow port.
Maximum Datagram Size 1400 Specifies the maximum size in bytes of the UDP datagram the sFlow receiver accepts.
State Disabled Specifies whether the sFlow receiver is enabled or disabled.

sFlow global settings

This table names and describes the sFlow global settings in the Configuration utility.

Control Default Description
Name Based on the resource you select. Specifies the type of resource for which you are setting the global sFlow polling interval or sampling rate, for example, interface or vlan.
Polling Interval 10 Specifies the maximum interval in seconds between polling by the sFlow agent of monitored data sources on the BIG-IP system.
Important: When multiple sFlow receivers are configured on the BIG-IP®system, only the lowest, non-zero Polling Interval setting is used for polling for all configured sFlow receivers. Therefore, if you delete the sFlow receiver with the lowest, non-zero poll interval, the system computes a new poll interval, based on the configured sFlow receivers, and uses that polling interval for all configured sFlow receivers.
Sampling Rate 1024 Specifies the ratio of packets observed to the number of samples you want the BIG-IP system to generate. For example, a sampling rate of 2000 specifies that one sample will be randomly generated for every 2000 packets observed.

sFlow counters and data

This table names and categorizes the sFlow counters and informational data that the BIG-IP® system sends to sFlow receivers. Note that the resource type corresponds to the value in the Name column on the sFlow global settings screen. The table also includes the source of the data and an example value.

Counter name (resource type) Source Example value
ifIndex (interface) interface_stat.if_index 64 (You can map this value to an interface name by using snmpwalk to query ifTable, for example, snmpwalk -v 2c -c public localhost ifTable.)
ifIndex (vlan) ifc_stats.if_index 112 (You can map this value to a VLAN name by using snmpwalk to query ifTable, for example, snmpwalk -v 2c -c public localhost ifTable.)
networkType (interface) Enumeration derived from the IANAifType-MIB (http://www.iana.org/assignments/ianaiftype-mib) 6
networkType (vlan) Enumeration derived from the IANAifType-MIB (http://www.iana.org/assignments/ianaiftype-mib) 6
ifDirection (interface) Derived from MAU MIB (RFC 2668) 0 = unknown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out 1
ifDirection (vlan) Derived from MAU MIB (RFC 2668) 0 = unknown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out 1
ifStatus (interface) Bit field with the following bits assigned: bit 0 = ifAdminStatus (0 = down, 1 = up), bit 1 = ifOperStatus (0 = down, 1 = up) 3
ifStatus (vlan) Bit field with the following bits assigned: bit 0 = ifAdminStatus (0 = down, 1 = up), bit 1 = ifOperStatus (0 = down, 1 = up) 3
ifInOctets (interface) interface_stat.counters.bytes_in 9501109483
ifInOctets (vlan) ifc_stats.hc_in_octets 107777746
ifInUcastPkts (interface) interface_stat.counters.pkts_in - interface_stat.counters.mcast_in - interface_stat.rx_broadcast 54237438
ifInUcastPkts (vlan) ifc_stats.hc_in_ucast_pkts 202314
ifInMulticastPkts (interface) interface_stat.counters.mcast_in 72
ifInMulticastPkts (vlan) ifc_stats.hc_in_multicast_pkts 343987
ifInBroadcastPkts (interface) interface_stat.rx_broadcast 211
ifInBroadcastPkts (vlan) ifc_stats.hc_in_broadcast_pkts 234
ifInDiscards (interface) interface_stat.counters.drops_in 13
ifInDiscards (vlan) ifc_stats.in_discards 13
ifInErrors (interface) interface_stat.counters.errors_in 0
ifInErrors (vlan) ifc_stats.in_errors 0
ifInUnknownProtos (interface) Unknown counter 4294967295
ifInUnknownProtos (vlan) ifc_stats.in_unknown_protos 0
ifOutOctets (interface) interface_stat.counters.bytes_out 9655448619
ifOutOctets (vlan) ifc_stats.hc_out_octets 107777746
ifOutUcastPkts (interface) interface_stat.counters.pkts_out - interface_stat.counters.mcast_out - interface_stat.tx_broadcast 10838396
ifOutUcastPkts (vlan) ifc_stats.hc_out_ucast_pkts 202314
ifOutMulticastPkts (interface) interface_stat.counters.mcast_out 72
ifOutMulticastPkts (vlan) ifc_stats.hc_out_multicast_pkts 343987
ifOutBroadcastPkts (interface) interface_stat.tx_broadcast 211
ifOutBroadcastPkts (vlan) ifc_stats.hc_out_broadcast_pkts 234
ifOutDiscards (interface) interface_stat.counters.drops_out 8
ifOutDiscards (vlan) ifc_stats.out_discards 13
ifOutErrors (interface) interface_stat.counters.errors_out 0
ifOutErrors (vlan) ifc_stats.out_errors 0
ifPromiscuousMode (interface) Always set to 2 (false) 2
ifPromiscuousMode (vlan) Always set to 2 (false) 2
ifSpeed (interface) An estimate of the current bandwidth of the interface in bits per second 1000000000
ifSpeed (vlan) Unknown gauge 0
5s_cpu (system) cpu_info_stat.five_sec_avg.user +cpu_info_stat.five_sec_avg.nice +cpu_info_stat.five_sec_avg.system +cpu_info_stat.five_sec_avg.iowait +cpu_info_stat.five_sec_avg.irq +cpu_info_stat.five_sec_avg.softirq +cpu_info_stat.five_sec_avg.stolen (This value is the average system CPU usage in the last five seconds.)
1m_cpu (system) cpu_info_stat.one_min_avg.user + cpu_info_stat.one_min_avg.nice + cpu_info_stat.one_min_avg.system + cpu_info_stat.one_min_avg.iowait + cpu_info_stat.one_min_avg.irq + cpu_info_stat.one_min_avg.softirq + cpu_info_stat.one_min_avg.stolen (This value is the average system CPU usage in the last one minute.)
5m_cpu (system) cpu_info_stat.five_min_avg.user +cpu_info_stat.five_min_avg.nice +cpu_info_stat.five_min_avg.system +cpu_info_stat.five_min_avg.iowait +cpu_info_stat.five_min_avg.irq +cpu_info_stat.five_min_avg.softirq +cpu_info_stat.five_min_avg.stolen (This value is the average system CPU usage in the last five minutes.)
total_memory_bytes (system) tmm_stat.memory_total 5561647104 (This value is the total tmm memory in bytes.)
free_memory_bytes (system) tmm_stat.memory_total - tmm_stat.memory_used (free tmm memory in bytes) 5363754680 (This value is the free tmm memory in bytes.)
method_option_count (http) [profile_http_stat.options_reqs] 100
method_get_count (http) [profile_http_stat.get_reqs] 100
method_head_count (http) [profile_http_stat.head_reqs] 100
method_post_count (http) [profile_http_stat.post_reqs] 100
method_put_count http) [profile_http_stat.put_reqs] 100
method_delete_count (http) [profile_http_stat.delete_reqs] 100
method_trace_count (http) [profile_http_stat.trace_reqs] 100
method_connect_count (http) [profile_http_stat.connect_reqs] 100
method_other_count (http) [counters.number_reqs - (counters.options_reqs + counters.get_reqs + counters.head_reqs + counters.post_reqs + counters.put_reqs + counters.delete_reqs + counters.trace_reqs + counters.connect_reqs )] 20
status_1XX_count (http) [profile_http_stat.resp_1xx.cnt] 100
status_2XX_count (http) [profile_http_stat. resp_2xx_cnt] 80
status_3XX_count (http) [profile_http_stat. resp_3xx_cnt] 5
status_4XX_count (http) [profile_http_stat. resp_4xx_cnt] 1
status_5XX_count (http) [profile_http_stat. resp_5xx_cnt] 2
status_other_count (http) [profile_http_stat.resp_other] 100

sFlow HTTP Request sampling data types

This table names and categorizes the sFlow HTTP Request sampling data types that the BIG-IP® system sends to sFlow receivers.

Data type Description
sampleType_tag A numeric value that indicates the type of traffic being sampled.
sampleType The name of the type of traffic being sampled.
sampleSequenceNo An integer that increments with each flow sample generated per sourceid.
sourceId A decimal representation in which the type of sFlow data source is indicated by one of these bytes:
  • 0 = ifIndex
  • 1 = smonVlanDataSource
  • 2 = entPhysicalEntry
  • 3 = entLogicalEntry
Note: Bytes 1-3 contain the relevant index value. On the BIG-IP system, this is the vs-index (for virtual servers) or if-index (for interfaces/vlans).
meanSkipCount The configured HTTP request sampling rate.
samplePool The total number of packets that could have been sampled, that is, the number of packets skipped by the sampling process, plus the total number of samples.
dropEvents The number of times the BIG-IP system detected that a packet marked to be sampled was dropped due to lack of resources.
inputPort The if-index of the VLAN that the sampled packet was received on. The value of this field in combination with outputPort indicates the service direction.
outputPort The if-index of the VLAN that the sampled packet was sent out on. The value of this field in combination with inPort indicates the service direction.
Note: 1073741823 is used when the VLAN ID is unknown.
flowBlock_tag An sFlow standard structure ID as defined here: http://www.slfow.org/developers/steructurs.php. The value is in this format: Enterprise:Format, for example, 0:1.
extendedType A string representation of the flowBlock_tag.
proxy_socket4_ip_protocol The IP protocol used for communications between the BIG-IP system and the pool member that handled the traffic. The value is an integer, for example, TCP =6 and UDP =17.
proxy_socket4_local_ip The internal IP address of the BIG-IP system.
proxy_socket4_remote_ip The IP address of the pool member that handled the traffic.
proxy_socket4_local_port The internal port on the BIG-IP system.
proxy_socket4_remote_port The internal port of the pool member that handled the traffic.
socket4_ip_protocol The IP protocol used for communications between the BIG-IP system and the client represented by an integer, for example, TCP =6 and UDP=17.
socket4_local_ip The external IP address the BIG-IP system uses to communicate with the client.
socket4_remote_ip The IP address of the client.
socket4_local_port The external port the BIG-IP system uses to communicate with the client.
socket4_remote_port The port of the client.
flowSampleType The type of traffic being sampled.
http_method The HTTP method in the request header that was sampled.
http_protocol The version of the HTTP protocol in the request header that was sampled.
http_uri The URI in the request header that was sampled.
http_host The host value in the request header that was sampled.
http_referrer The referrer value in the request header that was sampled.
http_useragent The User-Agent value in the request header that was sampled.
http_xff The X-Forwarded-For value in the request header that was sampled.
http_authuser The identity of the user in the request header as stated in RFC 1413.
http_mime-type The Mime-Type of response sent to the client.
http_req_bytes The length of the request that was sampled in bytes.
http_bytes The length of the response that was sampled in bytes.
http_duration_uS The duration of the communication between the BIG-IP system and the HTTP server/pool member in microseconds.
http_status The HTTP status code in the response that was sampled.
This is an example of IPv4 HTTP Request sampling data:
startDatagram =================
datagramSourceIP 10.0.0.0
datagramSize 376
unixSecondsUTC 1370017719
datagramVersion 5
agentSubId 3
agent 192.27.88.20
packetSequenceNo 16
sysUpTime 1557816000
samplesInPacket 1
startSample -------------------
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 1
sourceId 3:2
meanSkipCount 1
samplePool 1
dropEvents 0
inputPort 352
outputPort 1073741823
flowBlock_tag 0:2102
extendedType proxy_socket4
proxy_socket4_ip_protocol 6
proxy_socket4_local_ip 10.1.0.0
proxy_socket4_remote_ip 10.1.0.0
proxy_socket4_local_port 40451
proxy_socket4_remote_port 80
flowBlock_tag 0:2100
extendedType socket4
socket4_ip_protocol 6
socket4_local_ip 10.0.0.0
socket4_remote_ip 10.0.0.0
socket4_local_port 80
socket4_remote_port 40451
flowBlock_tag 0:2206
flowSampleType http
http_method 2
http_protocol 1001
http_uri /index.html
http_host 10.10.10.250
http_referrer http://asdfasdfasdf.asdf
http_useragent curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 
 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
http_authuser Aladdin
http_mimetype text/html; charset=UTF-8
http_request_bytes 340
http_bytes 8778
http_duration_uS 1930
http_status 200
endSample   ----------------------
endDatagram ======================      

sFlow VLAN sampling data types

This table names and categorizes the sFlow VLAN sampling data types that the BIG-IP® system sends to sFlow receivers.

Data type Description
sampleType_tag A numeric value for the type of traffic being sampled.
sampleType The name of the type of traffic being sampled.
sampleSequenceNo An integer that increments with each flow sample generated per sourceid.
sourceId A decimal value in which the type of sFlow data source is indicated by one of the bytes:
  • 0 = ifIndex
  • 1 = smonVlanDataSource
  • 2 = entPhysicalEntry
  • 3 = entLogicalEntry
Note: Bytes 1-3 contain the relevant index value. On the BIG-IP system, this is the vs-index (for virtual servers) and the if-index (for interfaces/VLANs).
meanSkipCount The configured packet sampling rate.
samplePool The total number of packets that could have been sampled, that is, the number of packets skipped by the sampling process, plus the total number of samples.
dropEvents The number of times the BIG-IP system detected that a packet marked to be sampled was dropped due to lack of resources.
inputPort The if-index of the VLAN that the sampled packet was received on. The value of this field in combination with outputPort indicates the service direction.
outputPort The if-index of the VLAN that the sampled packet was sent out on. The value of this field in combination with inPort indicates the service direction.
Note: 1073741823 is used when the VLAN ID is unknown.
flowBlock_tag An sFlow standard structure ID as defined here: http://www.slfow.org/developers/steructurs.php, and in this format: Enterprise:Format, for example, 0:1.
flowSampleType The type of traffic being sampled.
headerProtocol A numeric value for the type of header.
sampledPacketSize The size in bytes of the packet that was sampled.
strippedBytes The number of octets removed from the packet before extracting the header octets.
headerLen The length of the header in bytes.
headerBytes The exact bytes extracted from the header.
IPSize The size of the packet that was sampled including the IP header.
ip.tot_len The original length of the packet before sampling.
srcIP The source IP address of the sampled packet.
dstIP The destination IP address of the sampled packet.
IPProtocol The protocol used to send the packet.
IPTOS A numeric value representing the type of service.
IPTTL The time to live of the IP address in the header of the packet that was sampled.
TCPSrcPort or UDPSrcPort The port the client uses for communication with the BIG-IP system.
TCPDstPort or UDPDstPort The port the BIG-IP system uses for communication with the client.
TCPFlags A decimal representation of the TCP header flags in the sampled packet.
Note: This value is sent only when the sampled traffic is TCP.
extendedType A string representation of the flowBlock_tag.
in_vlan A numeric ID for the 8021.1Q VLAN ID of the incoming frame.
in_priority A numeric value that represents the 802.1p priority of the incoming frame.
out_vlan A numeric ID for the 8021.1Q VLAN ID of the outgoing frame.
out_priority A numeric value that represents the 802.1p priority of the outgoing frame.
This is an example of IPv4 VLAN sampling data:
startDatagram =============================================
datagramSourceIP 10.0.0.0
datagramSize 180
unixSecondsUTC 1370016982
datagramVersion 5
agentSubId 2
agent 192.27.88.20
packetSequenceNo 1
sysUpTime 1557079000
samplesInPacket 1
startSample -----------------------------------------------
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 1
sourceId 0:352
meanSkipCount 128
samplePool 38
dropEvents 0
inputPort 352
outputPort 1073741823
flowBlock_tag 0:1
flowSampleType HEADER
headerProtocol 1
sampledPacketSize 66
strippedBytes 0
headerLen 64
headerBytes 00-01-D7-E6-8A-03-00-50-56-01-10-0E-08-00-45-00-00-
 34-D8-A4-40-00-40-06-39-10-0A-0A-0A-02-0A-0A-0A-FA-9D-77-00-50-
 33-97-00-00-EA-00-5D-80-80-10-00-FA-AF-B0-00-00-01-01-08-0A-44-
 4B-27-FA-67-51
dstMAC 0001d7e68a03
srcMAC 00505601100e
IPSize 52
ip.tot_len 52
srcIP 10.0.0.0
dstIP 10.0.0.1
IPProtocol 6
IPTOS 0
IPTTL 64
TCPSrcPort 40311
TCPDstPort 80
TCPFlags 16
flowBlock_tag 0:1001
extendedType SWITCH
in_vlan 3195
in_priority 0
out_vlan 0
out_priority 0
endSample   ---------------------------------------------------
endDatagram   =================================================

Implementation result

You now have an implementation in which the BIG-IP® system periodically sends data samples to an sFlow receiver, and you can use the collected data to analyze the performance of the BIG-IP system.