TPS devices running TOS v5.x.x and later support export of flow data statistics for visualization and analysis based on the sFlow technology standard.
Statistics and flow data summaries can be viewed and analyzed by the SMS. The information can be used with external visualization and Network Behavior Anomaly Detection (NBAD) solutions to help identify compromised hosts and other suspicious and malicious network traffic.
When sFlow is enabled, it samples the packets on a segment and sends the data as a UDP packet to one or more servers. Port 6343 is the default sFlow collector port. You can send sFlow monitoring data from a device to one or more sFlow servers, including the SMS Collector. To start receiving sFlow data at a server, sFlow must also be enabled on one or more physical segments. The sampling rate is also set on each individual segment.
The SMS has the ability to auto-configure the sampling rate on the devices to maintain optimal SMS performance. When sFlow data is first collected, the SMS establishes a resource performance threshold by measuring the amount of disk space used by incoming sFlow data to be processed. If the threshold is exceeded and then increases again with a subsequent measurement, the sFlow sample rate gets cut in half on all segments. If another higher threshold is exceeded, the SMS automatically turns off the sFlow Collector. When performance stabilizes below the initial threshold, the sFlow Collector automatically turns back on.
Note
Note
The option to use sFlow is available only when editing the configuration for a TPS system running TOS v5.x.x or later. vTPS devices do not support sFlow sampling. If there are no devices configured for sFlow sampling, the following warning message is displayed at the bottom of the Reports panel: 
Currently there are no devices configured with the SMS as an sFlow® Collector. 
There may still be historical results.

Procedure

  1. Complete a successful profile distribution to all the devices that the sFlow reports will be run against.
    This creates a policy association, which the Vertica database requires in order to generate a report.
  2. Select DevicesAll Devices[device name], and then click Device Configuration.
  3. Select sFlow.
  4. Select Enabled to allow an sFlow data report to be sent to a collector, and specify up to two sFlow collector servers for report analysis. You must enable sFlow on at least one physical segment before sFlow data can be received at a collector. The SMS prompts you if an sFlow report is attempted without a configured collector server.
  5. If the SMS only has a single IP address configured for sFlow, select from the following:
    • Use SMS Collector — Select this option to automatically populate the IP address of the SMS and the default collector port (6343). The generated sFlow reports are displayed on the Dashboard.
      Note
      Note
      The SMS Collector server automatically adjusts the device sampling rate as required to maintain optimal SMS performance.
    • Use a Remote Collector — Specify the IP address and the port (default is 6343). Use this option if you require visualization and Network Behavior Anomaly Detection (NBAD), which is useful in identifying compromised hosts and suspicious network traffic.
    • (Optional) Enter the IP address and port for the second sFlow collector.
  6. If the SMS uses both IPv4 and IPv6 for sFlow, select from the following:
    • Use SMS as Collector with IPv4 Address — Select this option to automatically populate the IPv4 address of the SMS and the default collector port (6343).
    • Use SMS as Collector with IPv6 Address — Select this option to automatically populate the IPv6 address of the SMS and the default collector port (6343).
    • Use a Remote Collector — Specify the IP address and the port (default is 6343). Use this option if you require visualization and Network Behavior Anomaly Detection (NBAD), which is useful in identifying compromised hosts and suspicious network traffic.
    • (Optional) Enter the IP address and port for the second sFlow collector.
  7. Click OK.