RE: Real world sflow vs netflow?

[James Braunegg <james.braunegg () micron21 com>]

Dear David

> From a visibility point of view, we obtain as much information as we require to know exactly what's occurring on our 
> network where and when in real-time.

We know what's happening, on any interface on any network at any time. - that being said for us the most important 
visibility is all about the flow of traffic and packet counts.... the security side should be done at the firewall 
level ! 

If anyone wants a demo of our sFlow setup happy to show you via a team viewer session or something !

By the way we are using sFlow now

Kindest Regards


James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg () micron21 com  |  ABN:  12 109 977 666   



This message is intended for the addressee named above. It may contain privileged or confidential information. If you 
are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than 
the addressee. If you have received this message in error please return the message to the sender by replying to it and 
then delete the message from your computer.


-----Original Message-----
From: David Hubbard [mailto:dhubbard () dino hostasaurus com] 
Sent: Tuesday, July 17, 2012 8:26 AM
To: nanog () nanog org
Subject: RE: Real world sflow vs netflow?

From: James Braunegg [mailto:james.braunegg () micron21 com] 
> Dear All
>
> Around a year ago I had the same debate sflow vs netflow vs snmp port 
> counters. read lots of stories lots of myths lots of good information.  
> My Conclusion
>
> In the end I did real life testing comparing each platform
>
> We routed live traffic (about 250mbits) from our Cisco 7200
> G2 routers though Brocade MLXe routers and exported netflow from the 
> Cisco platform and sFlow from the Brocade platform.
>
> Each router sent netflow/sflow traffic to two collectors on 
> independent hardware (same specifications) running the same collection 
> netflow analyzer software.
>
> The end result was after hours of testing, or even days and weeks of 
> testing there was no significant difference between traffic volumes 
> netflow was showing vs slfow. Ie less than 0.5% variance between each 
> environment.
>
> That being said both netflow and sflow both under read by about 3% 
> when compared to snmp port counters, which we put to the conclusion 
> was broadcast traffic etc which the routers didn't see / flow.
>
> Regardless if you're going to bill from netflow or sflow in our test 
> environment we saw no  significant difference between either platform.

What are your thoughts on the non-billing aspects after your comparison testing; if you are/were using it for those 
purposes?
We don't use our current netflow for billing, just for security investigation and (ideally) early alerting of abnormal 
activity like port scans, compromised apps on servers, etc.

Thanks,

David