You may find sFlow protocol in wide range of switches. Some models of routers also offer it as option. One of the key benefits of sFlow is an ability to detect DDoS in few seconds.
You can enable sFlow support in FastNetMon with few easy steps.
Enable sFlow plugin:
sudo fcli set main sflow enable
Specify port / ports for sFlow capture (6343 is default port):
sudo fcli set main sflow_ports 6343
Specify interface for listening (0.0.0.0 is default):
sudo fcli set main sflow_host 0.0.0.0
To listen on IPv4 and IPv6 protocols on same port you need to set host to following value:
sudo fcli set main sflow_host :: sudo fcli commit
If your run any kind of firewall on your network or on server with FastNetMon itself you will need to allow traffic over ports you’ve added towards machine with FastNetMon.
Apply changes and restart FastNetMon:
sudo fcli commit
After that you have to configure sFlow on sFlow agent’s side (switch, router, server) to configured port and host.
We have our own guides for configuring sFlow:
Selection of sampling rate value depends on real amount of traffic value in link. It does not depend on peak link capacity or interface speed.
According to real amount of traffic in network we suggest following sampling rates:
| Bandwidth | Sampling rate |
| 100 Mbit | 500 |
| 1 Gbit | 1000 |
| 10 Gbit | 2000 |
| 40 Gbit | 4000 |
| 100 Gbit | 10000 |
After finishing configuration from agent’s side, you may check that FastNetMon receives data using our counters:
sudo fcli show system_counters|grep sflow
It’s very important to keep reasonable sampling rate for accurate bandwidth calculation. In some cases during traffic spikes switches can increase sampling rate over value specified in configuration. FastNetMon has an option to expose sampling rate for each router. You can enable it this way:
sudo fcli set main sflow_track_sampling_rate enable sudo fcli commit
After enabling this option, you can check sampling rate for each device and line card this way:
sudo fcli show sflow_sampling_rates
FastNetMon offers an option to count number of sFlow packets received from different devices and you can enable it this way:
sudo fcli set main sflow_count_packets_per_device true sudo fcli commit
Then you will be able to see number of sFlow packet per device this way:
sudo fcli show sflow_packets_per_device
Why flow counters are zero?
If you use sampling then due to sampling theory limitations we cannot calculate flow / second correctly.