sflow multi agent on same device

[賢PoHsien 阿]

Hello everyone,

In my environment, i have a OpenvSwitch on the host, and all physical NIC will connect to this OpenvSwitch.

I want to monitor each port network traffic and if any port has anomaly traffic, i will change the sampling rate for specific port and do not effect 

other port. It means each port has different sFlow configuration(Sampling Rate,Header Bytes,etc), but i don't know whether it can be implemented.

Can i setting multi agent on the same device (OpenvSwitch)？

e.g : 

OpenvSwitch ethernet Port A : 

．Sampling Rate : 400

．Collector IP : 192.168.0.1

．Header Byte : 128

OpenvSwitch ethernet Port B : 

．Sampling Rate : 200

．Collector IP : 192.168.0.2

．Header Byte : 100

OpenvSwitch  ethernet Port C : 

．Sampling Rate : 700

．Collector IP : 192.168.0.3

．Header Byte : 30

thanks.

Best Regards.

[Peter Phaal]

Open vSwitch implements packet sampling at the bridge level (http://docs.openvswitch.org/en/latest/howto/sflow/), so port based configuration is not possible.

In your use case, when you detect an anomaly using sFlow, you could instead program Open vSwitch with a filter to selectively capture the suspicious traffic. A full packet trace would be more useful for the forensic analysis. You can use Open vSwitch to tunnel the captured traffic for remote analysis (ERSPAN).

The triggered packet capture use case is demonstrated in the following video (using BigSwitch, but a solution with OVS, or any other programmable switch with filtered ERSPAN capability, would be very similar):

http://blog.sflow.com/2015/04/big-tap-sflow-enabling-pervasive-flow.html