[187949] in North American Network Operators' Group
Re: sFlow vs netFlow/IPFIX
daemon@ATHENA.MIT.EDU (Phil Bedard)
Mon Feb 29 10:41:05 2016
X-Original-To: nanog@nanog.org
Date: Mon, 29 Feb 2016 10:40:59 -0500
From: Phil Bedard <bedard.phil@gmail.com>
To: Saku Ytti <saku@ytti.fi>,
Nick Hilliard <nick@foobar.org>
In-Reply-To: <CAAeewD-BXiRUM64dj7mQUDTpz53j0NpkttTrL3b2gKjyj6hEqg@mail.gmail.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
-----Original Message-----
From: NANOG <nanog-bounces@nanog.org> on behalf of Saku Ytti <saku@ytti.fi>
Date: Monday, February 29, 2016 at 08:31
To: Nick Hilliard <nick@foobar.org>
Cc: nanog list <nanog@nanog.org>
Subject: Re: sFlow vs netFlow/IPFIX
>On 29 February 2016 at 15:05, Nick Hilliard <nick@foobar.org> wrote:
>
>> depends on what you define by "cheap". Netflow requires separate packet
>> forwarding lookup and ACL handling silicon.
>
>That's not inherently so, it depends how specialised your hardware is.
>If it's very specialised like implementing just LPM, sure. If it's
>NPU, then no, that's not given.
I don=E2=80=99t think anyone uses dedicated Netflow HW these days. The ASICs hav=
e functionality for other things like mirroring, etc. which are augmented fo=
r Netflow use. Usually it=E2=80=99s a mix of dedicated functions in the ASICs and=
then the LC CPU and general CPU on some platforms. Really in the end the r=
outer is doing something like SFlow internally. =20
>
>The cost is many entries in the hash table, not updating them. But if
>you'd emulate sflow behaviour in IPFIX then you don't need the hash
>tables or the counters.
It would be interesting to get some data from vendors on what the actual li=
mitation is. I know with some new platforms like the NCS 55XX from Cisco (B=
RCM Jericho) it has limited space for counters, but I don=E2=80=99t know if that c=
ontributes to its minimum 1:8000 Netflow sampling rate. The new PTX FPC sup=
porting Netflow has a minimum of 1:1000. =20
Phil
