About sFlow
Description
Sflow is a telemetry protocol that allows for the collection of IP statistics and counters on interfaces where it is enabled. Sflow is implemented on most switching platforms and employs packet sampling as a means to select which IP communications to export to a specified collector. Sflow copies the entire packet header so there is enhanced visibility into other layers.
Versions Supported
- v5
Version Differences of Note
Netography made the choice to only support v5 of sflow as the spec is over 15 years old now, we're not seeing any other version
Flow Sampling (netflow) vs. Packet Sampling (sflow)
There is no superior solution between the two as each have their advantages and disadvantages. With flow sampling, the device picks a 5 tuple depending on the sampling algorithm and tracks relevant statistics for the duration of that flow and then exports them at the appropriate time. With packet sampling, the exporter simply picks every Nth packet and reports up the details of that packet.
Sflow Advantages
- Full packet header
- Up to 128 bytes of payload
- Real time
- Easy on resources
Netography Use Case Recommendation
The real time nature of Sflow makes it better for use cases like DDoS detection where you don't want do have to wait for netflow's active timeout to start seeing data associated with an attack. Additionally, if your interest lies beyond the 5 tuple and associated interface information, Sflow is probably a better fit as you can look at things full L2 and up headers and payload up to 128 bytes. These days, the payload snippet tends to be unusable due to encryption even if people are willing to track it. Additionally, the ever increasing age of governance and compliance (PCI & HIPPA) have made payload tracking a non starter as it can dramatically increase the scope and cost of compliance.
Netography Configuration Recommendation
- Only sample input/ingress on chosen interfaces
- Follow sample rate table below based on traffic
- Netography does not currently ingest counter records
Sample Rate Guide
| Bandwith | Sample Rate |
|---|---|
| N < 1 Gbps | 10 |
| 1 Gbps < N < 10 Gbps | 100 |
| 10 Gbps < N < 25 Gbps | 1000 |
| N > 25 Gbps | 8000 |
Juniper EX Sample Configuration
\> edit
# set protocols sflow polling-interval 20
# set protocols sflow sample-rate ingress 100
# set protocols sflow collector <collector IP Address> udp-port 2055
# set protocols sflow interfaces ge-0/0/0.0 sample-rate ingress 1000
# set protocols sflow interfaces ge-0/0/1.0 sample-rate ingress 1000
# commit
Updated 7 months ago