Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

No vlan headers in sFlow sampled packets

nik martin
Occasional Contributor

No vlan headers in sFlow sampled packets

I have a network consisting of a 5406zl at the core, with 2910al as aggregation switches. There is no (authorized) traffic on my network that is not in a vlan, as I'm an isp, and customer IP subnets are built out in the 5406zl in vlans. I'm trying to do traffic accounting using sFlow, so I set a sampling rate of 1/512 in my core, and a poll interval of 60 secs. I'm receiving plenty of traffic samples, but NONE of the datagrams have the 802.1q vlan header information in them. all samples look like standard untagged traffic. I expect to see the samples on the trunked ports between my core and aggregation switches to have these headers, allowing me to measure traffic flowing into and out of customer subnets (vlans) , while NOT counting intra-vlan traffic, which is free. Is this not the case?
5 REPLIES
Pieter 't Hart
Honored Contributor

Re: No vlan headers in sFlow sampled packets

>>> I'm receiving plenty of traffic samples, but NONE of the datagrams have the 802.1q vlan header information in them. all samples look like standard untagged traffic<<<

What are you looking at?
Traffic measuring samples is not packet sniffing.
It is management information, not data-traffic.
every packet can hold multiple data samples (for multiple vlan's) and may have multiple vlan-id's/measurement-data in the data section of the packet.
nik martin
Occasional Contributor

Re: No vlan headers in sFlow sampled packets

>>>What are you looking at?<<<
Each time I get an sflow sample, I'm looking at the decoded header information. This information IS the TCP Header of the actual data flowing through the switch, It contains SRC and DST MAc Addresses, IP addresses, packet size, etc.

>>>Traffic measuring samples is not packet sniffing.<<<
I'm looking at sflow samples, not counters so yes , it DOES have "sniffed" packet info in it. That's what sflow is for.

>>>It is management information, not data-traffic.<<<
Also not true. a 1/512 sample rate picks 1 out of every 512 samples out of real data flowing through the sampled port and sends it to the sflow collector. One of the sflow v5 data elements is the IP header of the sampled packet.

>>>every packet can hold multiple data samples (for multiple vlan's) and may have multiple vlan-id's/measurement-data in the data section of the packet.<<<
Correct, and sflow tools decode those, giving me access to BGP info, VLAN info, src_ip and dst_ip info, src_port and dst_port, protocol info, etc.
Greybeard
Esteemed Contributor

Re: No vlan headers in sFlow sampled packets

You don't say from where in the network you are capturing, there are so many variables involving O/S, drivers, HBAs etc, that can affect the presence of Vlan information in a packet (they are not always there throughout the whole "journy"). Easier to have a look at this rather good discussion http://wiki.wireshark.org/CaptureSetup/VLAN
_________________________________________________
How to assign points on this new forum? Click the Kudos Star!
Greybeard
Esteemed Contributor

Re: No vlan headers in sFlow sampled packets

you may also find somthing of interest in a very good response on this thread http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1382186
_________________________________________________
How to assign points on this new forum? Click the Kudos Star!
nik martin
Occasional Contributor

Re: No vlan headers in sFlow sampled packets

>>>You don't say from where in the network you are capturing, there are so many variables involving O/S, drivers, HBAs etc, that can affect the presence of Vlan information in a packet (they are not always there throughout the whole "journy").<<<
Good point, I considered that shortly after I got started, and set sFlow to sample only the ports in my core switch that are trunked to my aggregation switches, to ensure I was sampling ports that were Tagged in the VLAN. Thanks for the links, I'll check those out.