sFlow® Agent Configuration and Troubleshooting Guide


This tutorial provides a step-by-step guide to adding a new sFlow feed to Traffic Sentinel, with details on problems that you may encounter.

Adding a new sFlow Agent

Recommended Steps - switch side

  1. Configure sampling rate (e.g. 1 in 2048), polling interval (e.g. 30 seconds) and collector IP address via the switch CLI. Some examples are here.
  2. If necessary, ensure that the switch chooses an appropriate sFlow agent address. This is typically done automatically, selecting a loopback address, but it may sometimes be controlled explicitly. Note that the sFlow agent address is carried in the sFlow payload and may be different from the source address of the datagrams sent to Traffic Sentinel.
  3. Apply sampling on ingress to all physical ports.
  4. Confirm via "show sflow" or equivalent that the switch is sending UDP datagrams.

Recommended Steps - server side

  1. On the Traffic Sentinel server, confirm that the packets are arriving with:
    sudo /usr/sbin/tcpdump -i any udp port 6343
  2. Confirm that the software firewall is allowing packets through on 6343/udp.
    sudo iptables --list
  3. In the Traffic Sentinel web UI, confirm that a new agent event appears under Events>List with type=Configuration. The Comment field will indicate the source address of the datagrams.
  4. After a minute has passed, confirm that the new agent now appears under Traffic>Status in the expected zone+group. Precedence rules are:
    1. An <agent> section matching the sflow agent address
    2. An <agentrange> section including the sflow agent address
    3. A <subnet> (CIDR) section including the sflow agent address
    The recommendation is to use CIDRs, reserving <agent> sections for overrides only where necessary, such as when a different contact address should be used for ICMP and SNMP communication, or when specific thresholds must be set.
  5. Confirm that SNMP is working too (File>Configure>Status>select agent>Test SNMP).

Common Problems

  1. Firewall: iptables firewall must allow packets to 6343/udp. Remember that tcpdump sees the packets before they reach the firewall.
  2. sFlow agent address: Sometimes the sFlow agent address is set to an unexpected value and the agent appears in the wrong zone+group. A zone called "other" will appear if the sflow agent address does not match any CIDR, agent-range or agent. This is an error condition because parameters for talking to the device will be undefined.

Rare Problems

  1. Martians: If the packets arrive at the server on the wrong interface, i.e. not the one that would be used to talk back to the switch on that source IP:
    sudo ip route get <sourceIP>
    then they will be dropped by the OS as "Martians". You may have to force a different source IP or collector IP using the switch CLI.
  2. Management Port: Some switches are reluctant to send sFlow out the management port. You may need to work around that in the switch CLI. For example, there may be a direct override you can employ, or you may have to designate the management port to be one of the ports on the data side.

Related Topics