Real world sflow vs netflow?

James Braunegg james.braunegg at micron21.com
Mon Jul 16 22:54:09 UTC 2012


Dear David

>From a visibility point of view, we obtain as much information as we require to know exactly what's occurring on our network where and when in real-time.

We know what's happening, on any interface on any network at any time. - that being said for us the most important visibility is all about the flow of traffic and packet counts.... the security side should be done at the firewall level ! 

If anyone wants a demo of our sFlow setup happy to show you via a team viewer session or something !

By the way we are using sFlow now

Kindest Regards


James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666   



This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.


-----Original Message-----
From: David Hubbard [mailto:dhubbard at dino.hostasaurus.com] 
Sent: Tuesday, July 17, 2012 8:26 AM
To: nanog at nanog.org
Subject: RE: Real world sflow vs netflow?

From: James Braunegg [mailto:james.braunegg at micron21.com] 
> 
> Dear All
> 
> Around a year ago I had the same debate sflow vs netflow vs snmp port 
> counters. read lots of stories lots of myths lots of good information.  
> My Conclusion
> 
> In the end I did real life testing comparing each platform
> 
> We routed live traffic (about 250mbits) from our Cisco 7200
> G2 routers though Brocade MLXe routers and exported netflow from the 
> Cisco platform and sFlow from the Brocade platform.
> 
> Each router sent netflow/sflow traffic to two collectors on 
> independent hardware (same specifications) running the same collection 
> netflow analyzer software.
> 
> The end result was after hours of testing, or even days and weeks of 
> testing there was no significant difference between traffic volumes 
> netflow was showing vs slfow. Ie less than 0.5% variance between each 
> environment.
> 
> That being said both netflow and sflow both under read by about 3% 
> when compared to snmp port counters, which we put to the conclusion 
> was broadcast traffic etc which the routers didn't see / flow.
> 
> Regardless if you're going to bill from netflow or sflow in our test 
> environment we saw no  significant difference between either platform.

What are your thoughts on the non-billing aspects after your comparison testing; if you are/were using it for those purposes?
We don't use our current netflow for billing, just for security investigation and (ideally) early alerting of abnormal activity like port scans, compromised apps on servers, etc.

Thanks,

David





More information about the NANOG mailing list