Is anyone else appreciating the debate on sFlow vs. NetFlow?
The folks at Plixer International decided to take a closer look.
They put together a simple test using a live network.
 They inserted an Extreme Summit sFlow switch running v7.6 firmware between their Enterasys switch running Rev 05.42.04 and the firewall (SonicWall). |
The Enterasys switch supports NetFlow v9 and the Extreme switch supports sFlow v5.
They cranked up the sampling rate on the Extreme to sample every packet.
Plixer wasn’t confident that the Extreme Summit switch can sample every packet but, the switch didn’t bark at after they entered the command.
For flow collection, they used Scrutinizer NetFlow and sFlow Analyzer v6.0 which is pictured below.
PLXRSW3 (sFlow) is the Extreme Summit switch and PLXRSW1 (NetFlow) is the Enterasys Switch:
The above configuration would allow Plixer to view traffic rates of the same live traffic using sFlow and NetFlow collection.
Notice above that the Inbound and Outbound - five minute traffic averages don’t match for exactly the same traffic volumes.
The Extreme Summit = 1.332% and the Enterasys = 1.262% for Inbound utilization.
Plixer believes this could be caused by many things including the fact that sFlow samples tend to be exported closer to real time.
NetFlow on the other hand has to deal with active and inactive timeout configurations.
Because of this, an sFlow switch would likely reflect a sudden spike in utilization quicker than a NetFlow switch.
Perhaps someone will comment on this blog to help us have a better understanding!
At times they would be as much as 1% different from one another but, for the most part they were pretty much the same.
Below is an example:
Plixer let the test run for a few days.
Scrutinizer sat there collecting away.
Every so often they would compare the top ten talkers reported for the same time frame and they seldom matched up when looking at trends for the last 5 minutes or the last 24 hours:
As expected, since the Extreme Summit is sampling packets the total host traffic is below what the Enterasys Switch is reporting for the same host for the same time frame:
When looking at purely IP traffic, NetFlow has the advantage of collecting nearly everything hence the 4 fold increase over the sFlow interface above.
On the other hand, sFlow is not limited to IP traffic and results in more accurate overall utilization.
Notice below that the same Outbound traffic reported by NetFlow is under that stated by sFlow.
NetFlow Trend:
sFlow Trend:
Regarding the above, sFlow reports on non IP traffic as well as broadcasts that are not exported by NetFlow.
 Trent Waterhouse - Marketing VP for Enterasys said: |
"The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities."
 "Although we have considered the recent IPFIX solution (based on NetFlow v9), ProCurve currently favors sFlow for unification of our wired and wireless infrastructure because of its scalability, increased visibility and lower implementation costs within devices, which we pass directly on to our customers," said Paul Congdon - CTO of HP ProCurve. |
When asked about the router market, Paul went on to say:
"In this particular market, the NetFlow feature is an important transition technology for the refresh and we do have plans in our next software release to support NetFlow in our WAN router products."
Taking a closer look at flow volumes back to the collector:
When Plixer reviewed the volume of sFlow traffic being sent by the Extreme Summit switch back to the Scrutinizer collector the results were again interesting.
The Extreme sFlow volume was 6 times that of the NetFlow sending Enterasys switch.
This is because Plixer configured the Extreme switch to sample as much as possible which generally isn’t necessary.
See below:
Note that many believe that sFlow is a 1:1 ratio of 1 packet per 1 sample.
This is not true.
As Wireshark points out below in the packet trace, a single sFlow packet had 8 packet samples in it:
You can read more technical information about these standards by reading the sFlow RFC or the IP Flow Information Export (IPFIX) Charter.
Note that a single NetFlow v5 or v9 packet can represent thousands of packets but, contains much less detail than sFlow.
 "NetFlow is much more accurate for IP statistics however, sFlow is more than a substitute for NetFlow," said Marc Bilodeau - CTO of Plixer International. |
"It offers many more statistics than NetFlow does."
"Flexible NetFlow looks to take smart ideas from sFlow like sampling packets."
In Summary:
More testing needs to be done.
One would think that even with sampling, that statistically, the same top talkers would result with either technology over time and they didn’t.
Below is based on a 6 day trend on both switches.
Although the overall interface utilization trends look the same, the top hosts were inconsistent.
PLXRSW1 (NetFlow) is the Enterasys Switch:
PLXRSW3 (sFlow) is the Extreme Summit Switch:
After comparing the first two switches reporting on the same traffic and seeing inconsistent top 10 host results, Plixer decided to review sFlow from a 3rd switch (i.e. the backup plan) looking at the same traffic.
The 3rd switch made by Alcatel PLXRSW2 was sampling at a much lower rate but, the top ten hosts were consistent with the Extreme sFlow switch.
PLXRSW2 (sFlow) is the Alcatel Switch:
Related stories:
NetFlow or sFlow: which is the open standard?
Cisco’s NetFlow vs. Inmon’s sFlow: Which will prevail?
Cisco toe stepper HP ProCurve deftly hoofs over Cisco NetFlow
Did YOU find this blog informative?
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him Toll Free:
866-864-0506
International callers may wish to call Brad by dialing:
850-364-4115
The Leader in Network Knowledge
The factor of 4
That factor of 4 difference looks like a misunderstanding of the sFlow protocol. I suspect the Extreme switch adjusted the sampling rate as allowed by the standard (section 4.2.2 http://www.sflow.org/sflow_version_5.txt) -- a precaution to keep the monitoring overhead low even when the settings are irrational.
elaborate please
Hello Neil,
Could you elaborate please? Do you have inside information on how Extreme works with sFlow?
I believe sFlow & NetFlow intended on targeting different markets but, we get many questions on the differences between the two. I posted a blog recently:
http://www.plixer.com/blog/products/scrutinizer/why-doesn%e2%80%99t-sflow-look-accurate/
Sincerely,
Michael Patterson
Product Manager - www.Scrutinizer.com
The factor of 4
Hi Mike,
No inside information required! It's just that sFlow is statistically rigorous and the accuracy is always known. For the test above you should have expected only a very small discrepancy. The factor of 4 implied that something else had gone wrong :) SFlow can be, and is, used for volumetric billing. Especially on networks that are too large or too fast for NetFlow to be generated and consumed cost-effectively.
I like your blog. The only comment I have is that comparing one NetFlow device with one sFlow device risks missing the bigger picture. When the comparison comes up in the real world the question is usually more like this: "If I buy from Cisco I get to monitor the routers, but if I buy from any other vendor I get to monitor the entire network".
Maybe Cisco will come around?
Neil McKee
InMon Corp.
www.inmon.com