nanog mailing list archives
RE: Real world sflow vs netflow?
From: James Braunegg <james.braunegg () micron21 com>
Date: Mon, 16 Jul 2012 22:54:09 +0000
Dear David
From a visibility point of view, we obtain as much information as we require to know exactly what's occurring on our network where and when in real-time.
We know what's happening, on any interface on any network at any time. - that being said for us the most important visibility is all about the flow of traffic and packet counts.... the security side should be done at the firewall level ! If anyone wants a demo of our sFlow setup happy to show you via a team viewer session or something ! By the way we are using sFlow now Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg () micron21 com | ABN: 12 109 977 666 This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: David Hubbard [mailto:dhubbard () dino hostasaurus com] Sent: Tuesday, July 17, 2012 8:26 AM To: nanog () nanog org Subject: RE: Real world sflow vs netflow? From: James Braunegg [mailto:james.braunegg () micron21 com]
Dear All Around a year ago I had the same debate sflow vs netflow vs snmp port counters. read lots of stories lots of myths lots of good information. My Conclusion In the end I did real life testing comparing each platform We routed live traffic (about 250mbits) from our Cisco 7200 G2 routers though Brocade MLXe routers and exported netflow from the Cisco platform and sFlow from the Brocade platform. Each router sent netflow/sflow traffic to two collectors on independent hardware (same specifications) running the same collection netflow analyzer software. The end result was after hours of testing, or even days and weeks of testing there was no significant difference between traffic volumes netflow was showing vs slfow. Ie less than 0.5% variance between each environment. That being said both netflow and sflow both under read by about 3% when compared to snmp port counters, which we put to the conclusion was broadcast traffic etc which the routers didn't see / flow. Regardless if you're going to bill from netflow or sflow in our test environment we saw no significant difference between either platform.
What are your thoughts on the non-billing aspects after your comparison testing; if you are/were using it for those purposes? We don't use our current netflow for billing, just for security investigation and (ideally) early alerting of abnormal activity like port scans, compromised apps on servers, etc. Thanks, David
Current thread:
- Re: Real world sflow vs netflow?, (continued)
- Re: Real world sflow vs netflow? Harry Hoffman (Jul 13)
- Re: Real world sflow vs netflow? Peter Phaal (Jul 13)
- Re: Real world sflow vs netflow? Joe Loiacono (Jul 13)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Mikael Abrahamsson (Jul 14)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Paolo Lucente (Jul 15)
- Re: Real world sflow vs netflow? Nick Hilliard (Jul 15)
- RE: Real world sflow vs netflow? James Braunegg (Jul 16)
- RE: Real world sflow vs netflow? David Hubbard (Jul 16)
- RE: Real world sflow vs netflow? James Braunegg (Jul 16)
- Re: Real world sflow vs netflow? Simon Leinen (Jul 17)
- Re: Real world sflow vs netflow? Nick Hilliard (Jul 17)
- Re: Real world sflow vs netflow? Peter Phaal (Jul 17)