sFlow vs netFlow/IPFIX

Nick Hilliard nick at foobar.org
Mon Feb 29 13:05:56 UTC 2016


Saku Ytti wrote:
> I cannot see why not, it's cheap. You're doing 1-2 LPM on the packet,
> QoS lookup, ACL lookup, incrementing various counters, etc., adding
> one hash lookup and two counters is not going to be relevant cost to
> the lookup time.

depends on what you define by "cheap".  Netflow requires separate packet
forwarding lookup and ACL handling silicon.

> Having many entries in the hash table is an issue, incrementing their
> counters is not.

it is certainly an issue if you get splatted with lots of discrete junk
flow, yes.

Neither of these are a problem for sflow.  It just plucks packets out of
the data plane at a pre-defined rate and forwards their headers to the
collector.  So long as your sampler is accurate, it's great.

Nick


More information about the NANOG mailing list