Real world sflow vs netflow?
peter.phaal at gmail.com
Sun Sep 23 16:23:57 UTC 2012
On Sun, Sep 23, 2012 at 8:16 AM, Dobbins, Roland <rdobbins at arbor.net> wrote:
> On Sep 23, 2012, at 7:55 PM, Danny McPherson wrote:
>> If the *flow generation process is not performed on the router (or otherwise
>> conveyed by some metadata outside of "raw [sampled] packet headers") then
>> you lose visibility to ingress and egress ifIndex (interface) information --
>> information which is required if/when deploying controls on those systems to
>> squelch various traffic flows.
> Thanks, Danny - I guess I should've spelled it out, thanks for clarifying, heh.
> It should also be noted that generating the flows directly from the data plane of the
> router/switch or doing it offboard (as long as sufficient ingress/egress ifindex
> metadata are collected and exported, as you note) is just an implementation detail
> - it isn't inherent to s/Flow, NetFlow, IPFIX, et. al. So, claiming this as some kind
> of advantage for a particular flow telemetry format is a non sequitur.
Exporting packet oriented measurements doesn't mean that you have to
loose ingress/egress interface data. In the specific example being
discussed (sFlow export), detailed forwarding information from the
router forwarding plane is exported with each sampled packet header
(full AS-path if you are using BGP). An external flow generator in
this case can produce flow records that are identical to those that
the device would produce, i.e. include ingress/egress ports.
The difference between packet oriented or flow oriented export is an
"implementation detail" if your only requirement is to obtain layer IP
flow records, but becomes significant if you want to create customized
flow records or create packet oriented metrics. Applications for
packet oriented metrics mentioned earlier in this thread included
route analytics, analysis of ECMP/LAG/TRILL forwarding, packet size
distribution vs. DSCP, DDoS mitigation.
The problem with having the router perform the flow analysis is that
once data is aggregated, it can't be disaggregated. It's like the
difference between receiving eggs or an omelette. If you like the
omelette, great! But if you wan't a different omelette or would like
to poach, boil, scramble or bake your eggs then getting the raw eggs
is a lot more versatile.
More information about the NANOG