[187942] in North American Network Operators' Group
Re: sFlow vs netFlow/IPFIX
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Mon Feb 29 08:08:03 2016
X-Original-To: nanog@nanog.org
X-Envelope-To: nanog@nanog.org
Date: Mon, 29 Feb 2016 13:05:56 +0000
From: Nick Hilliard <nick@foobar.org>
To: Saku Ytti <saku@ytti.fi>
In-Reply-To: <CAAeewD_7NGzS+bNg0WBbKt3VSZk-Q21vpGFheW9EQ6sPSOow+Q@mail.gmail.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Saku Ytti wrote:
> I cannot see why not, it's cheap. You're doing 1-2 LPM on the packet,
> QoS lookup, ACL lookup, incrementing various counters, etc., adding
> one hash lookup and two counters is not going to be relevant cost to
> the lookup time.
depends on what you define by "cheap". Netflow requires separate packet
forwarding lookup and ACL handling silicon.
> Having many entries in the hash table is an issue, incrementing their
> counters is not.
it is certainly an issue if you get splatted with lots of discrete junk
flow, yes.
Neither of these are a problem for sflow. It just plucks packets out of
the data plane at a pre-defined rate and forwards their headers to the
collector. So long as your sampler is accurate, it's great.
Nick
