Re: sFlow vs netFlow/IPFIX

[Nick Hilliard <nick () foobar org>]

Peter Phaal wrote:
> I think "pathologically broken" somewhat overstates the case.
> Bidirectional sampling is allowed by the sFlow spec and other vendors
> have made that choice. Another vendor used to implement egress only
> sampling (also allowed) but unusual. I agree that ingress is the most
> common and easiest to deal with, but a decent sFlow analyzer should be
> able to handle all three cases without over / under counting.

Bidirectional sampling doesn't allow you to define an sampling perimeter
on your switch topology.  This means that if you if you have anything
other than a trivial topology, you will end up double-counting your
traffic.  The only way to work around this is to get the collector to
discard 50% of the samples or otherwise write down the amount of traffic
by 50%, assuming a standard accounting perimeter configuration.  This is
broken.

The thing is, this is ridiculously easy to fix in code.  The hooks are
already there.

Nick