Earlier this year, we had a customer call in asking why their sFlow trends showed under utilization compared to the SNMP trends on the same interfaces. I’ve run into this question what seems like countless times before.  Unlike NetFlow, configuring sFlow exports at a basic level requires that two things be exported:

Samples and Counters
When setting up a switch to export sFlow, make sure you export:

  •  The packet samples (E.g. one in every 200 packets) on each interface
  •  The interface counters which is what many admins forget to configure

The sFlow collector needs the packet samples because most collectors strip out what looks like NetFlow and save it to the database.  However, without the interface counters, the sFlow reporting will understate the total throughput on the interface.  We see this too often.

Our sFlow analyzer uses the counters to trend the total in/out utilization and then subtracts the top ten hosts/protocols/applications, etc. from the trend (then added back in color) so that the total throughput is accurate.  See the below screen capture.

The gray traffic in the trend above is made up of the counter traffic. The colors are the sampled traffic where were subtracted out of the Other traffic then added back in color.  Also notice above the “Show Other” option at the top. Look at what happens when it is unchecked:

The “Show Other” option is helpful especially when all you see is gray.  How do you reduce the amount of other traffic?  You could sample more, but often this defeats the purpose. Remember, sFlow is not meant to be NetFlow. Take a look at this article on the differences between sFlow and NetFlow.

Below is a screen capture of a throughput graph from our tool compared to the inMon sFlow analysis product. Notice the two trends are similar.

The counters, the counters, the counters
When configuring your sFlow exports make sure you include the interface counters and the reports with be accurate.  You can always call us if you need help. You will find how to configure sflow on our web site as well.

The ability to export the total counters was a smart move on the sFlow developers part. Hopefully the folks at Nortel that develop the 5500 IPFIX flow sampling exports see this post and decide to implement this as well.  From what I understand, sampled NetFlow doesn’t send total counters yet either.  Cheers to folks behind sFlow for doing something very smart!

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply