Proposed standard helps ease traffic burden

IT managers need visibility into the traffic flowing through their networks. Without this insight, they rely heavily on guesswork for performance problem resolution and capacity planning. Legacy measurement tools are also usually prohibitively expensive, lack scalability to today's gigabit speeds, drain network hardware productivity, and increase software and hardware ownership costs.

A new IETF draft standard, RFC 3176, addresses all these limitations to traditional traffic monitoring and forensic network analysis through network packet sampling. The informational RFC also is marketed under the name "sFlow" by the industry trade organization sflow.org.

RFC 3176 lets administrators reliably and statistically measure their networks' performance and traffic impact of all connected applications, users, servers, switches, routers and storage switches. SFlow monitors and proactively helps administrators adjust network traffic patterns in complex enterprise, metropolitan service provider and high-performance computing environments with thousands of nodes and significant bandwidth requirements.

Instead of deploying cost-prohibitive probes throughout the network, the sFlow agent is embedded in the network switch or router ASIC and samples the network traffic. The sFlow management information base controls the sFlow agent, which captures, formats and forwards the packet samples to a central RFC 3176 data collector creating a datagram. By statistically sampling network traffic, network administrators gain a system-wide view of the traffic, network security and application traffic sources throughout the network.

With typical data gathering, RFC 3176 doesn't add significant network load, which is in contrast to software-based proprietary vendor approaches to traffic monitoring. The only sFlow packet sampling work done in software on the device is a few simple lookups, marshalling data into a datagram and queuing the datagram for transmission.

Datagram delivery

When a packet is sampled, its header is extracted and placed into an sFlow datagram or detailed map of the packet's network journey, which includes header, I/O source, destination and interface statistics. This datagram then is sent immediately to the sFlow Collection Server, a central data collector and analyzer.

One collection server can gather datagrams from more than 20,000 switch ports, decoding the packet headers and other information to present detailed Layer 2 to Layer 7 usage statistics.

Because the datagram immediately is sent to the collection server, memory requirements are extremely small and bounded, meaning that complex memory management software is unnecessary. This lets the sampling standard be implemented in simple Layer 2 switches to high-end core routers without requiring additional memory or CPU.

A new view of the net

SFlow fundamentally changes network traffic management. Configuration and control decisions are driven from statistical, quantitative and detailed information on which applications and users are using the network and for what purpose. RFC 3176 also can help eliminate rogue traffic from entering the growing number of wireless access points or combine with FreeBSD intrusion-detection systems such as Snort to offer yet another level of traffic monitoring for keeping a network secure from edge to edge and not just in select areas.