NetFlow and sFlow

NetFlow

About NetFlow

NetFlow is a telemetry protocol that allows for the collection of IP statistics on interfaces where it is enabled. a "flow" is a unidirectional data set. That is to say, it's one side of the connection not both. Once selected and collected this data is then exported in binary format to a remote collector. Typically, routing platforms export netflow whereas switching platforms export sflow.

NetFlow Versions Supported

• v5

• v9

• v10 (IPFIX)

NetFlow Version Differences of Note

• v5 does not support IPV6 due to its specification. IP fields are not big enough to hold an IPV6 address

• v9, v10 are template based which gives flexibility however these templates are often set by vendors and not configurable by the end user.

• v9, v10 templates are NOT sent with the records themselves but at an independent interval. Templates have to be received before data can be decoded. Also if scaling horizontally, templates need to be replicated to other collectors or they will not be able to decode flows.

• v9, v10 sample rate is no longer reported in every flow packet. It it typically defined in an options template which comes at a configurable interval.

NetFlow Configuration Recommendations

• Set active-timeout to 60

• Set run-length to 0 if it exists on your platform

• Only sample input on chosen interfaces

• Follow sample rate table below based on traffic volume, and then adjust once configured

sFlow

About sFlow

sFlow is a telemetry protocol that allows for the collection of IP statistics and counters on interfaces where it is enabled. sFlow is implemented on most switching platforms and employs packet sampling as a means to select which IP communications to export to a specified collector. sFlow copies the entire packet header so there is enhanced visibility into other layers.

sFlow Versions Supported

• v5

sFlow Configuration Recommendations

• Only sample input/ingress on chosen interfaces

• Follow sample rate table below based on traffic volume, and then adjust once configured

• Note: Netography does not currently ingest counter records

Comparing NetFlow and sFlow

Flow Sampling (NetFlow) vs. Packet Sampling (sFlow)

There is no superior solution between the two as each has its advantages and disadvantages. With flow sampling, the device picks a 5-tuple (source IP, source port, destination IP, destination port, protocol) depending on the sampling algorithm and tracks relevant statistics for the flow's duration, then exports them at the appropriate time. With packet sampling, the exporter picks every Nth packet and reports the details of that packet.

NetFlow Advantages

• Full byte and packet counts for a chosen flow

• All seen TCP Flags for a chosen flow

• Flow start time, end time, and duration

sFlow Advantages

• Full packet header and up to 128 bytes of payload

• Less latency in delivering records

• Utilizes fewer resources on devices generating records

Netography Use Case Recommendation

NetFlow has a considerable advantage in understanding the complete communication between various devices on the network. However, sFlow will provide more timely updates, so if understanding traffic within seconds is desirable, then sFlow may be a better choice. If the packet headers provided by your particular devices is useful in the sFlow records, that may be a benefit to sFlow.

Sample Rate Guide Table

The table below is a good starting point for configuring a sample rate based on the network device bandwidth volume. Once you see the volume of flow records generated with this sample rate, consider making additional adjustments to tune this setting. A lower sample rate will produce more records but provide a higher level of granularity.