[188021] in North American Network Operators' Group
Re: sFlow vs netFlow/IPFIX
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Thu Mar 3 06:53:18 2016
X-Original-To: nanog@nanog.org
X-Envelope-To: nanog@nanog.org
Date: Thu, 03 Mar 2016 11:53:06 +0000
From: Nick Hilliard <nick@foobar.org>
To: Peter Phaal <peter.phaal@gmail.com>
In-Reply-To: <CAB8g2zxpUdmerVmu_CXkFt8db736TUfzQCDd44biUPy2ABUpKg@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Peter Phaal wrote:
> I think "pathologically broken" somewhat overstates the case.
> Bidirectional sampling is allowed by the sFlow spec and other vendors
> have made that choice. Another vendor used to implement egress only
> sampling (also allowed) but unusual. I agree that ingress is the most
> common and easiest to deal with, but a decent sFlow analyzer should be
> able to handle all three cases without over / under counting.
Bidirectional sampling doesn't allow you to define an sampling perimeter
on your switch topology. This means that if you if you have anything
other than a trivial topology, you will end up double-counting your
traffic. The only way to work around this is to get the collector to
discard 50% of the samples or otherwise write down the amount of traffic
by 50%, assuming a standard accounting perimeter configuration. This is
broken.
The thing is, this is ridiculously easy to fix in code. The hooks are
already there.
Nick
