rfc3176.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 1,740 行 · 第 1/5 页

Network Working Group                                           P. Phaal
Request for Comments: 3176                                    S. Panchen
Category: Informational                                         N. McKee
                                                             InMon Corp.
                                                          September 2001


     InMon Corporation's sFlow: A Method for Monitoring Traffic in
                      Switched and Routed Networks

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This memo defines InMon Coporation's sFlow system.  sFlow is a
   technology for monitoring traffic in data networks containing
   switches and routers.  In particular, it defines the sampling
   mechanisms implemented in an sFlow Agent for monitoring traffic, the
   sFlow MIB for controlling the sFlow Agent, and the format of sample
   data used by the sFlow Agent when forwarding data to a central data
   collector.

Table of Contents

   1.  Overview .....................................................  2
   2.  Sampling Mechanisms ..........................................  2
       2.1 Sampling of Switched Flows ...............................  3
           2.1.1 Distributed Switching ..............................  4
           2.1.2 Random Number Generation ...........................  4
       2.2 Sampling of Network Interface Statistics .................  4
   3.  sFlow MIB ....................................................  5
       3.1 The SNMP Management Framework ............................  5
       3.2 Definitions ..............................................  6
   4.  sFlow Datagram Format ........................................ 14
   5.  Security Considerations ...................................... 25
       5.1 Control .................................................. 26
       5.2 Transport ................................................ 26
       5.3 Confidentiality .......................................... 26
   6.  References ................................................... 27
   7.  Authors' Addresses ........................................... 29



Phaal, et al.                Informational                      [Page 1]

RFC 3176               InMon Corporation's sFlow          September 2001


   8.  Intellectual Property Statement .............................. 30
   9.  Full Copyright Statement ..................................... 31

1. Overview

   sFlow is a technology for monitoring traffic in data networks
   containing switches and routers.  In particular, it defines the
   sampling mechanisms implemented in an sFlow Agent for monitoring
   traffic, the sFlow MIB for controlling the sFlow Agent, and the
   format of sample data used by the sFlow Agent when forwarding data to
   a central data collector.

   The architecture and sampling techniques used in the sFlow monitoring
   system are designed to provide continuous site-wide (and network-
   wide) traffic monitoring for high speed switched and routed networks.

   The design specifically addresses issues associated with:

   o Accurately monitoring network traffic at Gigabit speeds and higher.

   o Scaling to manage tens of thousands of agents from a single point.

   o Extremely low cost agent implementation.

   The sFlow monitoring system consists of an sFlow Agent (embedded in a
   switch or router or in a stand alone probe) and a central data
   collector, or sFlow Analyzer.

   The sFlow Agent uses sampling technology to capture traffic
   statistics from the device it is monitoring.  sFlow Datagrams are
   used to immediately forward the sampled traffic statistics to an
   sFlow Analyzer for analysis.

   This document describes the sampling mechanisms used by the sFlow
   Agent, the SFLOW MIB used by the sFlow Analyzer to control the sFlow
   Agent, and the sFlow Datagram Format used by the sFlow Agent to send
   traffic data to the sFlow Analyzer.

2. Sampling Mechanisms

   The sFlow Agent uses two forms of sampling: statistical packet-based
   sampling of switched flows, and time-based sampling of network
   interface statistics.








Phaal, et al.                Informational                      [Page 2]

RFC 3176               InMon Corporation's sFlow          September 2001


2.1 Sampling of Switched Flows

   A flow is defined as all the packets that are received on one
   interface, enter the Switching/Routing Module and are sent to another
   interface.  In the case of a one-armed router, the source and
   destination interface could be the same.  In the case of a broadcast
   or multicast packet there may be multiple destination interfaces.
   The sampling mechanism must ensure that any packet involved in a flow
   has an equal chance of being sampled, irrespective of the flow to
   which it belongs.

   Sampling flows is accomplished as follows: When a packet arrives on
   an interface, a filtering decision is made that determines whether
   the packet should be dropped.  If the packet is not filtered a
   destination interface is assigned by the switching/routing function.
   At this point a decision is made on whether or not to sample the
   packet.  The mechanism involves a counter that is decremented with
   each packet.  When the counter reaches zero a sample is taken.
   Whether or not a sample is taken, the counter Total_Packets is
   incremented.  Total_Packets is a count of all the packets that could
   have been sampled.

   Taking a sample involves either copying the packet's header, or
   extracting features from the packet (see sFlow Datagram Format for a
   description of the different forms of sample).  Every time a sample
   is taken, the counter Total_Samples, is incremented.  Total_Samples
   is a count of the number of samples generated.  Samples are sent by
   the sampling entity to the sFlow Agent for processing.  The sample
   includes the packet information, and the values of the Total_Packets
   and Total_Samples counters.

   When a sample is taken, the counter indicating how many packets to
   skip before taking the next sample should be reset.  The value of the
   counter should be set to a random integer where the sequence of
   random integers used over time should be such that

   (1) Total_Packets/Total_Samples = Rate

   An alternative strategy for packet sampling is to generate a random
   number for each packet, compare the random number to a preset
   threshold and take a sample whenever the random number is smaller
   than the threshold value.  Calculation of an appropriate threshold
   value depends on the characteristics of the random number generator,
   however, the resulting sample stream must still satisfy (1).







Phaal, et al.                Informational                      [Page 3]

RFC 3176               InMon Corporation's sFlow          September 2001


2.1.1 Distributed Switching

   The SFLOW MIB permits separate sampling entities to be associated
   with different physical or logical elements of the switch (such as
   interfaces, backplanes or VLANs).  Each sampling engine has its own
   independent state (i.e., Total_Packets, Total_Samples, Skip and
   Rate), and forwards its own sample messages to the sFlow Agent.  The
   sFlow Agent is responsible for packaging the samples into datagrams
   for transmission to an sFlow Analyzer.

2.1.2 Random Number Generation

   The essential property of the random number generator is that the
   mean value of the numbers it generates converges to the required
   sampling rate.

   A uniform distribution random number generator is very effective.
   The range of skip counts (the variance) does not significantly affect
   results; variation of +-10% of the mean value is sufficient.

   The random number generator must ensure that all numbers in the range
   between its maximum and minimum values of the distribution are
   possible; a random number generator only capable of generating even
   numbers, or numbers with any common divisor is unsuitable.

   A new skip value is only required every time a sample is taken.

2.2 Sampling of Network Interface Statistics

   The objective of the counter sampling is to efficiently, periodically
   poll each data source on the device and extract key statistics.

   For efficiency and scalability reasons, the sFlow System implements
   counter polling in the sFlow Agent.  A maximum polling interval is
   assigned to the agent, but the agent is free to schedule polling in
   order maximize internal efficiency.

   Flow sampling and counter sampling are designed as part of an
   integrated system.  Both types of samples are combined in sFlow
   Datagrams.  Since flow sampling will cause a steady, but random,
   stream of datagrams to be sent to the sFlow Analyzer, counter samples
   may be taken opportunistically in order to fill these datagrams.

   One strategy for counter sampling has the sFlow Agent keep a list of
   counter sources being sampled.  When a flow sample is generated the
   sFlow Agent examines the list and adds counters to the sample
   datagram, least recently sampled first.  Counters are only added to
   the datagram if the sources are within a short period, 5 seconds say,



Phaal, et al.                Informational                      [Page 4]

RFC 3176               InMon Corporation's sFlow          September 2001


   of failing to meet the required sampling interval (see
   sFlowCounterSamplingInterval in SFLOW MIB).  Whenever a counter
   source's statistics are added to a sample datagram, the time the
   counter source was last sampled is updated and the counter source is
   placed at the end of the list.  Periodically, say every second, the
   sFlow Agent examines the list of counter sources and sends any
   counters that need to be sent to meet the sampling interval
   requirement.

   Alternatively, if the agent regularly schedules counter sampling,
   then it should schedule each counter source at a different start time
   (preferably randomly) so that counter sampling is not synchronized
   within an agent or between agents.

3. sFlow MIB

   The sFlow MIB defines a control interface for an sFlow Agent.  This
   interface provides a standard mechanism for remotely controlling and
   configuring an sFlow Agent.

3.1 The SNMP Management Framework

   The SNMP Management Framework presently consists of five major
   components:

   o  An overall architecture, described in RFC 2571 [2].

   o  Mechanisms for describing and naming objects and events for the
      purpose of management.  The first version of this Structure of
      Management Information (SMI) is called SMIv1 and described in STD
      16,

      RFC 1155 [3], STD 16, RFC 1212 [4] and RFC 1215 [5].  The second
      version, called SMIv2, is described in STD 58, RFC 2578 [6], STD
      58, RFC 2579 [7] and STD 58, RFC 2580 [8].

   o  Message protocols for transferring management information.  The
      first version of the SNMP message protocol is called SNMPv1 and
      described in STD 15, RFC 1157 [9].  A second version of the SNMP
      message protocol, which is not an Internet standards track
      protocol, is called SNMPv2c and described in RFC 1901 [10] and RFC
      1906 [11].  The third version of the message protocol is called
      SNMPv3 and described in RFC 1906 [11], RFC 2572 [12] and RFC 2574
      [13].







Phaal, et al.                Informational                      [Page 5]

RFC 3176               InMon Corporation's sFlow          September 2001


   o  Protocol operations for accessing management information.  The
      first set of protocol operations and associated PDU formats is
      described in STD 15, RFC 1157 [9].  A second set of protocol
      operations and associated PDU formats is described in RFC 1905
      [14].

   o  A set of fundamental applications described in RFC 2573 [15] and
      the view-based access control mechanism described in RFC 2575
      [16].

   A more detailed introduction to the current SNMP Management Framework
   can be found in RFC 2570 [17].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the mechanisms defined in the SMI.

   This memo specifies a MIB module that is compliant to the SMIv2.  A
   MIB conforming to the SMIv1 can be produced through the appropriate
   translations.  The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64).  Some machine readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process.  However, this loss of machine
   readable information is not considered to change the semantics of the
   MIB.

3.2 Definitions

SFLOW-MIB DEFINITIONS ::= BEGIN

IMPORTS

MODULE-IDENTITY, OBJECT-TYPE, Integer32, enterprises
        FROM SNMPv2-SMI
SnmpAdminString
        FROM SNMP-FRAMEWORK-MIB
OwnerString
        FROM RMON-MIB
InetAddressType, InetAddress
        FROM INET-ADDRESS-MIB
MODULE-COMPLIANCE, OBJECT-GROUP
        FROM SNMPv2-CONF;

sFlowMIB  MODULE-IDENTITY
  LAST-UPDATED "200105150000Z"   -- May 15, 2001
  ORGANIZATION "InMon Corp."
  CONTACT-INFO



Phaal, et al.                Informational                      [Page 6]

RFC 3176               InMon Corporation's sFlow          September 2001


         "Peter Phaal
          InMon Corp.
          http://www.inmon.com/

          Tel:  +1-415-661-6343
          Email: peter_phaal@inmon.com"