Over six months ago we completed a technical review on the differences between sFlow and NetFlow, which was published in NetworkWorld.com. In this review you will find specific reasons why and when to use one or the other.

Because Scrutinizer supports all major versions of sFlow and NetFlow, we don’t need to pick sides on which one is better.  I will say that we periodically get calls from customers wondering why the sFlow statistics from a switch aren’t the same as those reported by NetFlow on the directly connected router.  They are comparing the totals for a specific IP address.

The reason is simple:

• sFlow samples anything and is network layer independent (e.g. IPX, NetBEUI, IP, etc.)
• NetFlow accounts for 100% of everything IP based (i.e. not IPX, NetBEUI, etc.)

I would consider this:

• If your network supports a heterogenious multiprotocol environment, you might want to consider sFlow switches.
• If your network supports only IP based traffic, a sFlow or NetFlow switch will do.
• If you want 100% accuracy on network traffic and accountability, I would select a NetFlow capable switch.  Only Enterasys and Cisco market a NetFlow capable switch.

Questions you may have:
Q: Why don’t more switch vendors support NetFlow at the switch?
A: Usually because of the cost to engineer and implement a NetFlow capable switch.

Q: I heard that sFlow is in hardware, and that NetFlow is in software and causes more overhead for the switch.  Is this true?
A: Yes and no,  Cisco routers use software and CPU to export NetFlow.  Many switches support NetFlow in hardware.

“The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities. Whether the network is operating at 10/100/1000, Gigabit or 10 Gigabit speeds – the NetFlow data can be leveraged for performance management and network behavioral analysis to ensure the confidentiality, integrity and availability of information.”

Trent Waterhouse, Enterasys Networks, Inc.

Q: How much does it cost for a ‘flow’ capable switch?
A: I’ve seen the following street prices: D-Link DGS-3627 sFlow switches as low as $2600 and Enterasys N1 series NetFlow switches for  ~$15,000.  I would not limit the decision to ‘flow’ support.  Foundry, Juniper, etc. make great flow capable hardware as well. Always evaluate before you buy.

Q: We leverage NetFlow for Network Behavior Analysis (NBA), will sFlow be as useful as NetFlow?
A: Remember, sFlow is sampling, so a host that scans a subnet is not as likely to be picked up by analyzing sFlow samples as it is with NetFlow; and it may not matter.  Most switches today are performing NBA at the switch, which we cover in our white paper.

Bottom Line
NetFlow or sFlow support should be on the list of features to consider, along with SNMP and NMS integration, when purchasing your next switch. We feel that a best of breed solution is the ideal investment for your company.  If you have other questions, just call me (207)324-8805.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter Tags: NetFlow Vs. sFlow, Network Behavior Analysis, sFlow Analyzer

This entry was posted on Wednesday, January 21st, 2009 at 1:53 pm and is filed under General, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.