Does RA/NFA handle sflow from F5 devices?

Document ID : KB000048394
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

In the past F5 did not export data based on flows, only counters. RA/NFA didn't support this as it didn't have the minimum required fields for trafficanalysis. What it does provide via flow can be alternatively gathered via SNMP using the chart below.

Solution:

F5 sFlow information:

Name and typeSourceExample value
in_vlan (vlan)VLAN tag1234 (This value is an integer between 0 [zero] and 4095.)
octets (vlan)ifc_stats.hc_in_octets + ifc_stats.hc_out_octets107777746
ucastPkts (vlan)ifc_stats.hc_in_ucast_pkts + ifc_stats.hc_out_ucast_pkts202314
multicastPkts (vlan)ifc_stats.hc_in_multicast_pkts + ifc_stats.hc_out_multicast_pkts12
broadcastPkts (vlan)ifc_stats.hc_in_broadcast_pkts + ifc_stats.hc_out_broadcast_pkts6
discards (vlan)ifc_stats.hc_in_discards + ifc_stats.hc_out_discards0
ifIndex (interface)interface_stat.if_index 64 (You can map this value to an interface name by using snmpwalk to query ifTable, for example, snmpwalk -v 2c -c public localhost ifTable.)
networkType (interface)Enumeration derived from the IANAifType-MIB (http://www.iana.org/assignments/ianaiftype-mib)6
ifSpeed (interface)Media speed of the network interface 1000000000 (This value is in bits per second.)
ifDirection (interface)Derived from MAU MIB (RFC 2668) 0 = unknown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out1
ifStatus (interface)Bit field with the following bits assigned: bit 0 = ifAdminStatus (0 = down, 1 = up), bit 1 = ifOperStatus (0 = down, 1 = up)3
ifInOctets (interface)interface_stat.counters.bytes_in9501109483
ifInUcastPkts (interface)interface_stat.counters.pkts_in - interface_stat.counters.mcast_in14373120
ifInMulticastPkts (interface)interface_stat.counters.mcast_in72
ifInBroadcastPkts (interface)interface_stat.rx_broadcast211
ifInDiscards (interface)interface_stat.counters.drops_in13
ifInErrors (interface)interface_stat.counters.errors_in0
ifInUnknownProtos (interface)Not implementedThis value will always be 0 (zero).
ifOutOctets (interface)interface_stat.counters.bytes_out9655448619
ifOutUcastPkts (interface)interface_stat.counters.pkts_out - interface_stat.counters.mcast_out10838396
ifOutMulticastPkts (interface)interface_stat.counters.mcast_out72
ifOutBroadcastPkts (interface)interface_stat.tx_broadcast211
ifOutDiscards (interface)interface_stat.counters.drops_out8
ifOutErrors (interface)interface_stat.counters.errors_out0
ifPromiscuousMode (interface)Not implementedThis value will always be 0 (zero).
5s_cpu (processor)tmm_stat.cpu_usage_5secs.81 (This value is the average tmm CPU usage in the last five seconds.)
1m_cpu (processor)tmm_stat.cpu_usage_1min(This value is the average tmm CPU usage in the last one minute.)
5m_cpu (processor)tmm_stat.cpu_usage_5mins(This value is the average tmm CPU usage in the last five minutes.)
total_memory_bytes (processor)tmm_stat.memory_total 5561647104 (This value is the total tmm memory in bytes.)
free_memory_bytes (processor)tmm_stat.memory_total - tmm_stat.memory_used (free tmm memory in bytes)5363754680 (This value is the free tmm memory in bytes.)

Recently, F5 made some changes in their code and have added flow samples that contain all the minimum required fields:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-4-0/9.html

Although all the require fields are available, we have seen problems with their flows where negative byte values causes NFA reports to report incorrect byte values. You would normally see complaints that NFA is reporting tera bytes of interface throughput of flows from F5. If the flows are negative, then F5 is not supporting sFlow export properly and the F5 vendor should be contacted.