Network Monitoring Configuration Guide

mirror mirror introduction introduction mirror is a network management technology commonly used for network detection, traffic analysis, and troubleshooting with the mirroring function, traffic at one or more ports on a switch can be copied to the destination port of the mirror and sent out for analysis and monitoring of the traffic on the mirrored port basic concepts basic concepts the switch currently supports two mirroring methods span and erspan span span span refers to a mirroring configuration where the source and destination ports are on the same switch in this configuration, the switch copies the data traffic from the specified source port (mirror source) to another port (destination port) on the same switch and forwards it the source and destination ports of this mirror are both on the same switch, making the configuration relatively simple and not involving device network connections support mirroring traffic from one or more source ports to the destination port erspan erspan erspan refers to a mirroring configuration where the source and destination ports are located on different switches in this configuration, the switch replicates the data traffic from the specified source port to the destination port on the remote switch through a layer three protocol this type of image needs to be forwarded through an ip address, and the configuration is relatively complex remote mirroring needs to be used in conjunction with acl policies mirror v4 acl match field support is as follows table 1 mirror v4 acl match fields table 1 mirror v4 acl match fields fields description outer vlan outer vlan range \[1,4094] source port sport range 0 65535 destination port dport range 0 65535 tcp flags tcp flags range 0 63 source ip sip a b c d(/m) destination ip dip a b c d(/m) icmp type icmp type range 0 16 icmp code icmp code range 0 5 dscp dscp range 0 63 ip type ip type any/ip/non ip/ipv4any/non ipv4/ipv6any/non ipv6/arp/arp request/arp reply bth opcode bth opcode range 0 255 aeth syndrome aeth syndrome range 0 255 outer vlan outer vlan range \[1,4094] mirror v6 acl match field support is as follows table 2 mirror v6 acl match fields table 2 mirror v6 acl match fields fields description source ipv6 sipv6 x\ x x\ x(/m) destination ipv6 dipv6 x\ x x\ x(/m) bth opcode bth opcode range 0 255 aeth syndrome aeth syndrome range 0 255 span span configuration configuration when configuring span, it supports configuring one or more source ports for simultaneous mirroring, but supports configuring one destination port table 3 configure span table 3 configure span purpose commands description enter global configuration view configure terminal create span mirror session session id type span the range of session id is from 1 to 63 configure the span source port source interface ethernet interface name configure the span destination port destination interface ethernet interface name configure mirror direction direction { in | out | both } the default is both , which means that both the inlet and outlet traffic are mirrored commit commit after the configuration is completed, commit needs to be executed to take effect erspan erspan configuration configuration table 4 configure erspan table 4 configure erspan purpose commands description enter global configuration view configure terminal create erspan mirror session session id type erspan the range of session id is from 1 to 63 configure erspan source ip origin ip address a b c d configure erspan destination ip destination ip address a b c d configure ttl value for erspan tunnel ip ttl ttl value the range of ttl value is 1 255 configure dscp value for erspan tunnel ip dscp dscp value dscp value range is 0 63 (optional)configure the queue bound to the erspan tunnel queue queue value queue id, with a value range of 0 7 (optional)configure erspan tunnel type gre type type gre type, format 0xhhhh commit commit after the configuration is completed, commit needs to be executed to take effect exit mirror configuration view exit create mirror acl table and enter configuration view access list table name mirror ingress bind interface bind interface {{ ethernet | link aggregation } interface name | all }} configure mirror rules rule rule id rule action mirror session session id rule is the match fields, and the supported fields are detailed in display and maintenance display and maintenance table 5 display and maintenance table 5 display and maintenance purpose commands description show mirror configuration show mirror typical configuration example typical configuration example network requirements a certain pc1, with an ip of 10 0 0 2, passes through a switch and achieves mutual access with pc2, with an ip of 20 0 0 2 now it is necessary to monitor the traffic sent by pc1 to pc2 on the server, and obtain the traffic sent by pc1 without affecting the business topology procedure \#configure interface ip address sonic(config)# interface ethernet 0/60 sonic(config if 0/60)# ip address 60 0 0 1/24 \#configure erspan sonic# configure sonic(config)# mirror session 1 type erspan sonic(config erspan mirror 1)# origin ip address 60 0 0 1 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# destination ip address 60 0 0 2 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# ip ttl 40 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# ip dscp 24 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# commit \#configure acl policy sonic# configure sonic(config)# access list test1 mirror ingress sonic(config mirror acl test1)# bind interface ethernet 0/0 sonic(config mirror acl test1)# rule 1 source ip 10 0 0 2 action mirror session 1 server sonic# configure sonic(config)# interface ethernet 0/24 sonic(config if 0/24)# ip address 60 0 0 2 configuration verification sonic# show mirror erspan sessions name status src ip dst ip gre dscp ttl queue policer monitor port src port direction \ 1 active 60 0 0 1 60 0 0 2 24 40 0/60 span sessions name status dst port src port direction queue policer \ sonic# show acl rule table rule priority action match \ test1 rule 1 1001 mirror ingress 1 src ip 10 0 0 2 traffic verification pc1 streams to pc2 and receives mirrored traffic on the server, which is the traffic sent by pc1 sflow sflow introduction introduction sflow (sampled flow) is a network traffic monitoring technology based on packet sampling, mainly used for statistical analysis of network traffic basic concepts basic concepts sflow system sflow system the sflow system consists of several sflow agents (embedded in forwarding device such as switch or router) and a core sflow collector, as shown in figure below sflow agents use specific sampling techniques to obtain statistics and packet information about the interface the sflow packets are encapsulated in udp packets and sent to the designated sflow collector for analysis by the collector when the buffer holding the sflow packets is full or when the sflow packet delivery timer (timer interval is fixed at 1 second) times out, helping network administrators to manage the network traffic of entire site (usually an enterprise site) more effectively by generating flow views or reports to display the results sflow sample sflow sample sflow agent provides two sampling methods for users to analyze network traffic conditions from different perspectives, namely flow sampling and counter sampling flow sample is used by the sflow agent device to sample and analyze packets on a specified interface according to a specific sampling direction and sampling ratio, and is used to obtain information about the data content of the packets this sampling method focuses on the details of the flow so that it can monitor and analyze popular behavior on the network counter sampling is the sflow agent device that periodically obtains traffic statistics on interfaces in contrast to flow sampling, counter sampling focuses only on the number of flows on interfaces and not on the details of the flows default sflow configuration default sflow configuration the default configuration of sflow is shown in the table below table 6 sflow default configuration table 6 sflow default configuration parameters default value sflow agent information the agent automatically selects the ip of the routing out interface to the collector as the source ip address sflow collector information not configured sflow sampling rate 10000 sflow configuration sflow configuration table 7 overview of sflow configuration tasks table 7 overview of sflow configuration tasks configuration tasks description enable sflow enable sflow optional configure the sflow collector configure the sflow collector optional configure sflow for interface configure sflow for interface optional enable sflow enable sflow table 8 enable sflow table 8 enable sflow purpose commands description enter global configuration view configure terminal enable sflow sflow enable note when sflow is enabled, the interface sflow is all enabled by default configure the sflow collector configure the sflow collector sflow needs to be enabled before configuration the source interface and source ip of sflow collector cannot be configured at the same time table 9 configure the sflow collector table 9 configure the sflow collector purpose commands description enter global configuration view configure terminal configure the sflow collector sflow collector collector name ip address \[ vrf vrf | dst port ] ip address collector's destination ip vrf specifies the vrf where the sampling interface is located dst port collector's destination port configure source ip of sflow collector sflow collector collector name source { a b c d | a b } configure source interface of sflow collector sflow collector collector name source interface interface type interface name interface type optional parameters vlan, ethernet, loopback, link aggregation, mgmt configure the polling interval sflow polling interval time sets the counter sample interval for sampling time unit s, range 6 3600 set sflow sampling rate sflow sample rate rate rate indicates how many packets are sampled once, range 8000 1000000, and the default value is 10000 configure sflow for interface configure sflow for interface table 10 interface sflow configuration table 10 interface sflow configuration purpose commands description enter global configuration view configure terminal enter ethernet interface view interface ethernet interface name disable sflow for interface sflow disable set sflow sampling rate sflow sample rate rate rate indicates how many packets are sampled once, range 8000 1000000, and the default value is 10000 display and maintenance display and maintenance table 10 sflow display and maintenance table 10 sflow display and maintenance purpose commands description show global configuration show sflow display interface configuration show sflow interface ethernet interface num typical configuration example typical configuration example configure the sflow collector configure the sflow collector network requirements tc1 and tc2 communicate via switch management and maintenance personnel require viewing traffic information, forwarding status on interface 0/0, and the overall operational status of the device this enables timely detection of abnormal traffic, thereby ensuring normal and stable network operation topology procedure \#configure the interface ip dut sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 10 0 0 2/24 server sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 10 0 0 3/24 \#configure sflow collector on switch sonic# config terminal sonic(config)# sflow enable sonic(config)# sflow collector 1 10 0 0 3 6345 \#configure the polling interval (optional) sonic# config terminal sonic(config)# sflow polling interval 30 \#configure the sampling rate (optional) sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# sflow sample rate 80000 verify the configuration \#configuration verification sonic(config)# show sflow sflow global information sflow admin state up sflow polling interval default sflow agentid default 1 collectors configured name 1 ip addr 10 0 0 3 udp port 6345 sonic# show sflow interface ethernet 0/0 + + + + \| interface | admin state | sampling rate | +=============+===============+=================+ \| 0/0 | up | 80000 | + + + + \#flow verification tc1 streams to tc2 at wire speed, capturing packets on the corresponding interface of server server can receive sflow packets with destination port 6345 telemetry telemetry introduction introduction telemetry is a technology for remotely collecting data from network devices at high speed, which can quickly pinpoint network failures and achieve efficient and intelligent network operations and maintenance devices act as telemetry clients, while collectors act as telemetry servers the switches initiate connections to the collectors actively to upload data for collection telemetry configuration telemetry configuration telemetry default configuration telemetry default configuration the default configuration of telemetry is shown in the table below table 11 telemetry default configuration table 11 telemetry default configuration parameters default value telemetry destination group not configured telemetry subscription not configured telemetry data reporting interval 5000 milliseconds configure telemetry destination group configure telemetry destination group table 12 telemetry destination group configuration table 12 telemetry destination group configuration purpose commands description enter global configuration view configure terminal enter the telemetry client configuration view telemetry client enter the telemetry destination group configuration view destination group destination group name configure collector ip and port number \[ ipv4 address a b c d | ipv6 address a b ] port port number a b c d/a b ：collector address, reachable at layer 3 with the switch port number ：collector monitoring portcurrently, a destination group only supports the configuration of one collector if there are multiple collectors, multiple subscriptions need to be configured configure telemetry subscription configure telemetry subscription table 13 telemetry subscription configuration table 13 telemetry subscription configuration purpose commands description enter global configuration view configure terminal enter the telemetry client configuration view telemetry client enter the telemetry subcription configuration view subscription subscription name configure the destination group associated with the subscription destination group destination group name communication can only be established after successfully binding to the destination group configure collection targets path target \[ counters db | state db | others ] only one collection target can be configured for a subscription configure collection path paths path name the subfolders of the collection path are separated by ‘/’ multiple collection paths can be set for one subscription configure reporting interval report interval time the unit is milliseconds, with a range of \[100, 1800000], and the default value is 5000 milliseconds configure reporting type report type \[ periodic | stream ] currently, only the following fixed collection targets and paths are supported table 14 periodic type collection events supported by telemetry table 14 periodic type collection events supported by telemetry event name path target paths total ingress/egress pfc counters db counters/ethernet /pfc cnt total ingress packet loss counters db counters/ethernet /ingress loss cnt total egress packet loss counters db counters/ethernet /queue egress loss cnt queue traffic statistics (transmitted bytes) counters db counters/ethernet /queue transmitted bytes queue traffic statistics(dropped bytes) counters db counters/ethernet /queue dropped bytes queue traffic statistics (transmitted packets) counters db counters/ethernet /queue transmitted packets queue traffic statistics (dropped packets) counters db counters/ethernet /queue dropped packets port information (ipv4 traffic statistics) counters db counters/ethernet /ip status port information (ipv6 traffic statistics) counters db counters/ethernet /ipv6 status table 15 stream type collection events supported by telemetry table 15 stream type collection events supported by telemetry event name path target paths logs of configuration operations others cmd/history total ingress packet loss counters db counters/ethernet /ingress loss cnt total egress packet loss counters db counters/ethernet /queue egress loss cnt typical configuration example typical configuration example configure telemetry client configure telemetry client network requirements as networks continue to expand in scale, users need to promptly optimize the network or perform troubleshooting based on device information for example, when the packet loss count of a device exceeds a certain threshold, data should be reported to the collector this facilitates timely monitoring and fine tuning of network traffic in subsequent steps topology procedure \#configure the interface ip sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 10 0 0 2/24 \#the collector uses opentelemetry collector, and the configuration file is as follows receivers otlp protocols grpc endpoint "0 0 0 0 8081" tls cert file "d /programs/otelcol/server crt" key file "d /programs/otelcol/server key" exporters file path "d /programs/otelcol/exporters json" logging service pipelines traces receivers \[otlp] exporters \[file, logging] metrics receivers \[otlp] exporters \[file, logging] logs receivers \[otlp] exporters \[file, logging] \#configure telemetry client parameters, with the collector ip reachable at layer 3 sonic# configure terminal sonic(config)# telemetry client sonic(telemetry client)# destination group test sonic(telemetry destination group test)# ipv4 address 10 0 0 1 port 8081 sonic(telemetry destination group test)#exit sonic(telemetry client)# subscription test sonic(telemetry subscription test)# destination group test sonic(telemetry subscription test)# path target counters db sonic(telemetry subscription test)# paths counters/ethernet0/queue egress loss cnt sonic(telemetry subscription test)# report interval 10000 sonic(telemetry subscription test)# report type periodic sonic(telemetry subscription test)# exit verify the configuration the opentelemetry collector endpoint can receive reported data, with corresponding logging, and the exported file contains the respective reported data logging 2024 11 01t11 44 25 978+0800 info tracesexporter {"kind" "exporter", "data type" "traces", "name" "logging", "resource spans" 1, "spans" 1} 2024 11 01t11 44 35 979+0800 info tracesexporter {"kind" "exporter", "data type" "traces", "name" "logging", "resource spans" 1, "spans" 1} exporters json &#x9;{ &#x9; "resourcespans" \[ &#x9; { &#x9; "resource" { &#x9; "attributes" \[ &#x9; { &#x9; "key" "service name", &#x9; "value" { &#x9; "stringvalue" "grpc dialout" &#x9; } &#x9; } &#x9; ] &#x9; }, &#x9; "scopespans" \[ &#x9; { &#x9; "scope" { &#x9; "name" "telemetry dialout/client" &#x9; }, &#x9; "spans" \[ &#x9; { &#x9; "traceid" "dc78f3671e112263b54dd5fa1a6fb45d", &#x9; "spanid" "6818243589fca8ec", &#x9; "parentspanid" "", &#x9; "name" "dialout report", &#x9; "kind" 1, &#x9; "starttimeunixnano" "1730432661299663511", &#x9; "endtimeunixnano" "1730432661299733369", &#x9; "attributes" \[ &#x9; { &#x9; "key" "sonic data", &#x9; "value" { &#x9; "stringvalue" "update <\n timestamp 1730432661296098535\n prefix <\n target \\"counters db\\"\n >\n update <\n path <\n elem <\n name \\"counters\\"\n >\n elem <\n name \\"ethernet0\\"\n >\n elem <\n name \\"queue egress loss cnt\\"\n >\n >\n val <\n json ietf val \\"{\\\\\\"ethernet0 0\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 1\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 2\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 3\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 4\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 5\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 6\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"},\\\\\\"ethernet0 7\\\\\\" {\\\\\\"queue dropped bytes\\\\\\" \\\\\\"0\\\\\\",\\\\\\"queue dropped packets\\\\\\" \\\\\\"0\\\\\\",\\\\\\"type\\\\\\" \\\\\\"unicast\\\\\\"}}\\"\n >\n >\n>\n" &#x9; } &#x9; } &#x9; ], &#x9; "events" \[ &#x9; { &#x9; "timeunixnano" "1730432661299668184", &#x9; "name" "telemetry dialout" &#x9; } &#x9; ], &#x9; "status" {} &#x9; } &#x9; ] &#x9; } &#x9; ], &#x9; "schemaurl" "https //opentelemetry io/schemas/v1 4 0" &#x9; } &#x9; ] &#x9;}