Closer look: sFlow better than NetFlow?

Putting together a simple test.

Plixer International
Is anyone else appreciating the debate on sFlow vs. NetFlow? The folks at Plixer International decided to take a closer look. They put together a simple test using a live network.
Visit Us Cisco Live! 2008 Orlando June 22 - 26 Booth 1210
They inserted an Extreme Summit sFlow switch running v7.6 firmware between their Enterasys switch running Rev 05.42.04 and the firewall (SonicWall).

The Enterasys switch supports NetFlow v9 and the Extreme switch supports sFlow v5. They cranked up the sampling rate on the Extreme to sample every packet. Plixer wasn’t confident that the Extreme Summit switch can sample every packet but, the switch didn’t bark at after they entered the command. For flow collection, they used Scrutinizer NetFlow and sFlow Analyzer v6.0 which is pictured below. PLXRSW3 (sFlow) is the Extreme Summit switch and PLXRSW1 (NetFlow) is the Enterasys Switch:

sFlow and NetFlow Collection
The above configuration would allow Plixer to view traffic rates of the same live traffic using sFlow and NetFlow collection. Notice above that the Inbound and Outbound - five minute traffic averages don’t match for exactly the same traffic volumes. The Extreme Summit = 1.332% and the Enterasys = 1.262% for Inbound utilization. Plixer believes this could be caused by many things including the fact that sFlow samples tend to be exported closer to real time. NetFlow on the other hand has to deal with active and inactive timeout configurations. Because of this, an sFlow switch would likely reflect a sudden spike in utilization quicker than a NetFlow switch. Perhaps someone will comment on this blog to help us have a better understanding! At times they would be as much as 1% different from one another but, for the most part they were pretty much the same. Below is an example:
An Example
Plixer let the test run for a few days. Scrutinizer sat there collecting away. Every so often they would compare the top ten talkers reported for the same time frame and they seldom matched up when looking at trends for the last 5 minutes or the last 24 hours:
Compare
As expected, since the Extreme Summit is sampling packets the total host traffic is below what the Enterasys Switch is reporting for the same host for the same time frame:
As Expected
When looking at purely IP traffic, NetFlow has the advantage of collecting nearly everything hence the 4 fold increase over the sFlow interface above. On the other hand, sFlow is not limited to IP traffic and results in more accurate overall utilization. Notice below that the same Outbound traffic reported by NetFlow is under that stated by sFlow. NetFlow Trend:
NetFlow Trend
sFlow Trend:
sFlow Trend
Regarding the above, sFlow reports on non IP traffic as well as broadcasts that are not exported by NetFlow.


Trent Waterhouse
Trent Waterhouse - Marketing VP for Enterasys said: "The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities."
Paul Congdon
"Although we have considered the recent IPFIX solution (based on NetFlow v9), ProCurve currently favors sFlow for unification of our wired and wireless infrastructure because of its scalability, increased visibility and lower implementation costs within devices, which we pass directly on to our customers," said Paul Congdon - CTO of HP ProCurve. When asked about the router market, Paul went on to say: "In this particular market, the NetFlow feature is an important transition technology for the refresh and we do have plans in our next software release to support NetFlow in our WAN router products."

Taking a closer look at flow volumes back to the collector: When Plixer reviewed the volume of sFlow traffic being sent by the Extreme Summit switch back to the Scrutinizer collector the results were again interesting. The Extreme sFlow volume was 6 times that of the NetFlow sending Enterasys switch. This is because Plixer configured the Extreme switch to sample as much as possible which generally isn’t necessary. See below:

Collection Statistics
Note that many believe that sFlow is a 1:1 ratio of 1 packet per 1 sample. This is not true. As Wireshark points out below in the packet trace, a single sFlow packet had 8 packet samples in it:
Wireshark Points Out
You can read more technical information about these standards by reading the sFlow RFC or the IP Flow Information Export (IPFIX) Charter. Note that a single NetFlow v5 or v9 packet can represent thousands of packets but, contains much less detail than sFlow.


Marc Bilodeau
"NetFlow is much more accurate for IP statistics however, sFlow is more than a substitute for NetFlow," said Marc Bilodeau - CTO of Plixer International. "It offers many more statistics than NetFlow does." "Flexible NetFlow looks to take smart ideas from sFlow like sampling packets."

In Summary: More testing needs to be done. One would think that even with sampling, that statistically, the same top talkers would result with either technology over time and they didn’t. Below is based on a 6 day trend on both switches. Although the overall interface utilization trends look the same, the top hosts were inconsistent. PLXRSW1 (NetFlow) is the Enterasys Switch:

Enterasys Switch
PLXRSW3 (sFlow) is the Extreme Summit Switch:
Extreme Switch
After comparing the first two switches reporting on the same traffic and seeing inconsistent top 10 host results, Plixer decided to review sFlow from a 3rd switch (i.e. the backup plan) looking at the same traffic. The 3rd switch made by Alcatel PLXRSW2 was sampling at a much lower rate but, the top ten hosts were consistent with the Extreme sFlow switch. PLXRSW2 (sFlow) is the Alcatel Switch:
Alcatel Switch
Related stories: NetFlow or sFlow: which is the open standard? Cisco’s NetFlow vs. Inmon’s sFlow: Which will prevail? Cisco toe stepper HP ProCurve deftly hoofs over Cisco NetFlow


Did YOU find this blog informative?

Contact Brad Reese
http://www.BradReese.Com

  
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in