A question we hear frequently is, “Do we have to enable all interfaces on the switch to export sFlow? My switch has hundreds of interfaces!”
The short answer is yes, if you want to get the most accurate representation of the traffic flowing through the switch.
sFlow is an ingress protocol, meaning the flow packets are received on an ingress interface. For example, if you configure sFlow on interfaces 1 and 2 of 5 interfaces, then in your NetFlow and sFlow analyzer you will see all inbound traffic for those 2 interfaces, but the outbound traffic may be missing information.
In Scrutinizer, as with most NetFlow collectors, we calculate the outbound traffic for an interface based on the source interface from the ingress flow packet. So any traffic with destination interface 1 or 2, originating from interfaces 3, 4 or 5, will be omitted if only interfaces 1 and 2 are configured to export sFlow.
Excerpts from Juniper Networks “MONITORING NETWORK TRAFFIC USING sFLOW TECHNOLOGY ON EX SERIES ETHERNET SWITCHES” Application Note explains that sFlow exports consist of two main components: Packet Flow Sampling and Counter Sampling
Packet Flow Sampling refers to arbitrarily choosing some packets out of a specified number.
Counter Sampling performs periodic, time-based sampling or polling of counters associated with an interface enabled for sFlow.
So not only will you be missing traffic coming through interfaces 3-5 destined for interfaces 1 or 2, but you will also be missing the counter information from interfaces 3-5. This will also distort your sFlow analyzer reporting.
Therefore, as with NetFlow v5, it is our recommendation that you configure all active interfaces to export sFlow to your sFlow collector to get the most accurate sFlow reporting.
Which brings us to the dilemma of enabling sFlow export on hundreds of interfaces on your switch and the overhead it will add to your switch processing. sFlow is a sampling technology. So it is less resource intensive on your switch and the additional overhead is minimal.
And if displaying hundreds of interfaces in your sFlow reporting tool that you aren’t interested in is the issue, Scrutinizer NetFlow and sFlow Analyzer allows you to ‘hide’ selected interfaces.
Let us help
For more information on Scrutinizer NetFlow and sFlow Analyzer, or configuring sFlow on your switches, call us at 207-324-8805.