[ixpmanager] SFLOW Under Reporting?

Ian Chilton ian at lonap.net
Fri Jun 23 08:25:31 IST 2023 


Hi André,

On 2023-06-23 07:59, André Grüneberg wrote:

> This does not matter. All traffic coming from others to this one member 
> is NOT being measured on the member's port but on others' ports.

Yes, but in the case of the member who is reporting only ~50% stats at 
our side, they are only comparing a few peers, which do not involve 
subinterfaces.

> Presuming that you have sFlow enabled only on edge ports and your're 
> generating sFlow for inbound traffic flow (the usual setting for 
> Arista).

Yep - we only have sflow enabled on member interfaces.

In the case of LAGs, we have (irrelevant config snipped for simplicity):

interface Ethernet17/3
    no switchport
    channel-group 108 mode active
    no sflow enable

interface Port-Channel108
    switchport access vlan 4
    switchport
    mac access-group MAC-ACL-Port-Channel108 in
    sflow enable

Going off on a tangent, but how does your subinterface configs look? - 
again, with non-important bits removed:

interface Port-Channel105
    no switchport
    sflow enable

interface Port-Channel105.4
    encapsulation dot1q vlan 4
    vlan id 4
    mac access-group MAC-ACL-Port-Channel105.4 in

interface Port-Channel105.646
    encapsulation dot1q vlan 646
    vlan id 4
    mac access-group MAC-ACL-Port-Channel105.646 in

So I currently have sflow enabled on the parent interface and not the 
subinterfaces. I'm currently questioning with Arista which is 
recommended here - disabled on the parent and enabled on the 
subinterfaces or enabled on the parent and disabled on the 
subinterfaces. What do you use?

> Yes, it's intoducing a mapping of the tuple (agent, interfaceid, 
> vlanid) -> peering VLAN ID ... so the rest of the script can digest the 
> flow as "peering traffic". :)

Interested in the mechanism you are using here - have you built that in 
to the sflow-to-rrd-handler script or are you using an external script 
to periodically query the database and export these [into a file]. The 
latter is what I was planning to do.

> Well, there are some "heavy" PVLANs that can easily account for ~50G at 
> that time. And the remainder is within our acceptable error margin of 
> 10%.

Ah, so you have not modified it to include PVLANs, you're only counting 
peering lan traffic in those overalls still?

> Yes, mostly we are running smapling rate 16384 -- same as yours.

Mostly???

Thank you!

Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager/attachments/20230623/3a297a81/attachment.htm>

More information about the ixpmanager mailing list