A question we hear frequently is, “Do we have to enable all interfaces on the switch to export sFlow?  My switch has hundreds of interfaces!”

The short answer is yes, if you want to get the most accurate representation of the traffic flowing through the switch.

sFlow is an ingress protocol, meaning the flow packets are received on an ingress interface.  For example, if you configure sFlow on interfaces 1 and 2 of 5 interfaces, then in your NetFlow and sFlow analyzer you will see all inbound traffic for those 2 interfaces, but the outbound traffic may be missing information.

In Scrutinizer, as with most NetFlow collectors, we calculate the outbound traffic for an interface based on the source interface from the ingress flow packet.  So any traffic with destination interface 1 or 2, originating from interfaces 3, 4 or 5, will be omitted if only interfaces 1 and 2 are configured to export sFlow.

Excerpts from Juniper Networks “MONITORING NETWORK TRAFFIC USING sFLOW TECHNOLOGY ON EX SERIES ETHERNET SWITCHES” Application Note explains that sFlow exports consist of two main components: Packet Flow Sampling and Counter Sampling

Packet Flow Sampling
refers to arbitrarily choosing some packets out of a specified number.

Counter Sampling performs periodic, time-based sampling or polling of counters associated with an interface enabled for sFlow.

So not only will you be missing traffic coming through interfaces 3-5 destined for interfaces 1 or 2, but you will also be missing the counter information from interfaces 3-5.  This will also distort your sFlow analyzer reporting.

Therefore, as with NetFlow v5, it is our recommendation that you configure all active interfaces to export sFlow to your sFlow collector to get the most accurate sFlow reporting.

sFlow Dilemma
Which brings us to the dilemma of enabling sFlow export on hundreds of interfaces on your switch and the overhead it will add to your switch processing.  sFlow is a sampling technology. So it is less resource intensive on your switch and the additional overhead is minimal.

And if displaying hundreds of interfaces in your sFlow reporting tool that you aren’t interested in is the issue, Scrutinizer NetFlow and sFlow Analyzer allows you to ‘hide’ selected interfaces.

Let us help
For more information on Scrutinizer NetFlow and sFlow Analyzer, or configuring sFlow on your switches, call  us at 207-324-8805.

Joanne Ghidoni author pic

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.

Related

Leave a Reply