[154907] in North American Network Operators' Group
RE: Real world sflow vs netflow?
daemon@ATHENA.MIT.EDU (James Braunegg)
Mon Jul 16 18:54:51 2012
From: James Braunegg <james.braunegg@micron21.com>
To: David Hubbard <dhubbard@dino.hostasaurus.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Mon, 16 Jul 2012 22:54:09 +0000
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17304E0F12B@dino.ad.hostasaurus.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dear David
From a visibility point of view, we obtain as much information as we requir=
e to know exactly what's occurring on our network where and when in real-ti=
me.
We know what's happening, on any interface on any network at any time. - th=
at being said for us the most important visibility is all about the flow of=
traffic and packet counts.... the security side should be done at the fire=
wall level !=20
If anyone wants a demo of our sFlow setup happy to show you via a team view=
er session or something !
By the way we are using sFlow now
Kindest Regards
James Braunegg
W:=A0 1300 769 972=A0 |=A0 M:=A0 0488 997 207 |=A0 D:=A0 (03) 9751 7616
E:=A0=A0 james.braunegg@micron21.com=A0 |=A0 ABN:=A0 12 109 977 666=A0=A0=20
This message is intended for the addressee named above. It may contain priv=
ileged or confidential information. If you are not the intended recipient o=
f this message you must not use, copy, distribute or disclose it to anyone =
other than the addressee. If you have received this message in error please=
return the message to the sender by replying to it and then delete the mes=
sage from your computer.
-----Original Message-----
From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com]=20
Sent: Tuesday, July 17, 2012 8:26 AM
To: nanog@nanog.org
Subject: RE: Real world sflow vs netflow?
From: James Braunegg [mailto:james.braunegg@micron21.com]=20
>=20
> Dear All
>=20
> Around a year ago I had the same debate sflow vs netflow vs snmp port=20
> counters. read lots of stories lots of myths lots of good information. =20
> My Conclusion
>=20
> In the end I did real life testing comparing each platform
>=20
> We routed live traffic (about 250mbits) from our Cisco 7200
> G2 routers though Brocade MLXe routers and exported netflow from the=20
> Cisco platform and sFlow from the Brocade platform.
>=20
> Each router sent netflow/sflow traffic to two collectors on=20
> independent hardware (same specifications) running the same collection=20
> netflow analyzer software.
>=20
> The end result was after hours of testing, or even days and weeks of=20
> testing there was no significant difference between traffic volumes=20
> netflow was showing vs slfow. Ie less than 0.5% variance between each=20
> environment.
>=20
> That being said both netflow and sflow both under read by about 3%=20
> when compared to snmp port counters, which we put to the conclusion=20
> was broadcast traffic etc which the routers didn't see / flow.
>=20
> Regardless if you're going to bill from netflow or sflow in our test=20
> environment we saw no significant difference between either platform.
What are your thoughts on the non-billing aspects after your comparison tes=
ting; if you are/were using it for those purposes?
We don't use our current netflow for billing, just for security investigati=
on and (ideally) early alerting of abnormal activity like port scans, compr=
omised apps on servers, etc.
Thanks,
David
