Multi-tenant sFlow

This article discusses how real-time sFlow telemetry can be shared with network tenants to provide each tenant with a real-time view of their slice of the shared resources. The diagram shows a simple network with two tenants, Tenant A and Tenant B, each assigned their own subnet, 10.0.0.0/24 and 10.0.1.0/24 respectively.

One option would be to simply replicate the sFlow datagrams and send copies to both tenants. Forwarding using sflowtool describes how sflowtool can be used to replicate and forward sFlow and sFlow-RT can be configured to forward sFlow using its REST API:

curl -H "Content-Type:application/json" \
-X PUT --data '{"address":"10.0.0.1","port":6343}' \
http://127.0.0.1:8008/forwarding/TenantA/json

However, there are serious problems with this approach:

1. Private information about Tenant B's traffic is leaked to Tenant A.
2. Information from internal links within the network (i.e. links between s1, s2, s3 and s4) is leaked to Tenant A.
3. Duplicate data from each network hop is likely to cause Tenant A to over-estimate their traffic.

The sFlow-RT multi-tenant forwarding function addresses these challenges. The first task is to provide sFlow-RT with an accurate network topology specifying the internal links connecting the switches, e.g.

curl -H "Content-Type:application/json" -X PUT --data '{\
 "L1":{"node1":"s1", "port1":"s1-eth1", "node2":"s3", "port2":"s3-eth1"},\
 "L2":{"node1":"s1", "port1":"s1-eth2", "node2":"s4", "port2":"s4-eth1"},\
 "L3":{"node1":"s2", "port1":"s2-eth1", "node2":"s3", "port2":"s3-eth2"},\
 "L4":{"node1":"s2", "port1":"s2-eth2", "node2":"s4", "port2":"s4-eth2"}\
}' http://127.0.0.1:8008/topology/json

The topology allows sFlow-RT to model the network as if it were one switch and provide this abstracted view of the sFlow data to tenants.

The following REST API call configures multi-tenant forwarding for Tenant A:

curl -H "Content-Type:application/json" -X PUT --data \
'{"collectorAddress":"10.0.0.1","collectorPort":6343, \
"filters":{"cidr":["10.0.0.0/24"]}}' \
http://127.0.0.1:8008/tenant/TenantA/json

In this example, sFlow-RT filters the sFlow sent to Tenant A to only include traffic to or from hosts within Tenant A's allocated address space, 10.0.0.0/24. In addition, only edge ports are considered -sFlow from inter-switch links is suppressed. When performing multi-tenant forwarding sFlow-RT acts as a proxy, reconstructing a valid sFlow telemetry stream based on the filtered records and re-calculating sequence numbers, sampling information, etc.

In addition to splitting sFlow telemetry by IP address, sFlow-RT can split telemetry based on switch port and MAC addresses - splitting on MAC addresses is a simple way to share sFlow telemetry between members in an Internet Exchange, see Internet Exchange (IX) Metrics.

Tenants can use whatever software they want to process the standard sFlow feed. However, standing up sFlow-RT instances for each tenant is straightforward and provides real-time network analytics through an easily consumable RESTflow API, see Network and system analytics as a Docker microservice.

Finally, network analytics is a valuable service to offer tenants and in the case of commercial service providers can be used as an additional source of revenue or as a way to differentiate the service from competitors.