If you are a vendor considering whether to implement sFlow Vs IPFIX (IP Flow Information eXport), this post will help you understand the differences and benefits of the technologies.  Both technologies were developed to gather statistical details from the routers, switches, firewalls and servers they reside on.

Standards

IPFIX is the proposed IETF standard for flow technologies, whereas sFlow is a proprietary technology owned by InMon. Although InMon references sFlow as a standard or RFC, no standard exists for sFlow.

Because IPFIX is becoming the industry standard, it benefits from the collective engineering efforts of thousands of individuals in the Internet community.  Dozens of companies including Cisco provide the innovation for IPFIX. Although several companies have implemented sFlow, the innovation generally comes from one company: InMon.  The most recent version of sFlow (i.e. v5) was published in 2004.

SFlow Uses

  1. It exports counters as well as other details using a push technology rather than a poll technology like SNMP.  Examples include, interface counters and CPU utilization.
  2. It exports random or predetermined packet samples – not actual flows as its name would imply.

IPFIX Uses

It is used to export details on the traffic flowing through the appliance; it can also be used to export systems details.  Not only has IPFIX become the standard for NetFlow, it is also evolving as a possible replacement for syslog technology.  It can even be leveraged to export SNMP counters (i.e. like sFlow) in real time.

Cost to Implement IPFIX Vs sFlow

IPFIX is free to anyone in the world who wants to implement it.  It can be implemented in hardware or software. sFlow is primarily a hardware technology, and the only vendor manufacturing chips for it is InMon.

Packet Sampling

Both sFlow and IPFIX can be used to export sampled packets.  IPFIX can be used, as demonstrated by Cisco with the Catalyst 4948E, to sample packets at line rate (i.e. 100% of the packets) in real time.  The sFlow technology can only sample 1 out of every X packets. The fastest sampling was seen on the Foundry sFlow capable switch, which sampled 1 out of every 2 packets (i.e. every other packet). Neither technology is limited to IP as both IPFIX and sFlow can be utilized to sample legacy network layer protocols such as IPX, Appletalk, etc.

sFlow or IPFIX

Packet Sampling Vs. Flows

What is a flow? “A flow is a sequence of packets from a sending application to a receiving application (Source IETF).” IPFIX is a true flow technology.  On the other hand, sFlow is not a flow technology at all.

When comparing packet sampling with Flow technologies in real time environments, administrators will notice immediately that the top 10 hosts or applications will differ considerably.  In real time trouble shoots, where only the last 5 or so minutes are being observed, packet sampling maybe only be about 50% accurate.  Packet sampling will more accurately represent the top N applications or hosts as time goes on.  For some reports (e.g. top hosts), at least an hour should pass before a packet sample trends can be considered for a fairly accurate baseline (see the 2008 study on sFlow Vs. NetFlow).  For this reason, sFlow is often not a reliable real time trouble shooting technology.

Flow Sampling Vs. Packet Sampling

There is a book written by Benoit Claise and Ralf Wolter which outlines the different ways flow sampling can be performed, as well as the corresponding accuracy when representing all traffic.  In short, packet sampling by itself is fairly representative of what is passing through the device.  A multiplier used on samples often leads to misleading representation.  For example, a multiplier of 1000 on a packet that was only seen 3 times, will grossly overstate frequency.  Flow sampling on the other hand, can give all flows, regardless of packet volume, an equal chance of being sampled.  Sampling of the flows can be random or deterministic, but in either case, use of a multiplier can have the same negative impact as it does on sFlow.

How to avoid Flow Sampling

One of my coworkers posted an excellent article on how to avoid NetFlow sampling.  In short, all you have to do is modify the matching tuple to dramatically reduce the amount of flows being exported, yet still maintain 100% accuracy; the compromise is on the details.  Below is what many consider a traditional flow matching tuple:

  • Source interface
  • Source port
  • Source IP address
  • Destination port
  • Destination IP address
  • Protocol
  • ToS / DSCP

If you simply remove the source port and the destination port from the match, you could witness a 95% reduction in flow volume.  If on the other hand you can’t compromise on application details, enable NBAR or the equivalent and get more accurate application details without the random port issues. Flow volume will, of course, go back up a bit with NBAR included in the export, but it won’t increase like it would when including the source and destination ports.

Real Time

Both IPFIX and sFlow are intended to support real time exports and samples of data, including packets.  In fact, NetFlow also supports it. However, being real time is not always advantageous.  One of the benefits of having a router that maintains a flow cache, is that a single exported flow can represent tens of thousands of packets. A single IPFIX datagram can represent a few dozen flows.  Keep in mind that both packet sampling and flow exports can add excessive overhead to the hardware, however, packet sampling scales poorly in comparison to true flow technologies.  With sFlow, your only option is to sample less which means a longer time to wait before your reports render accurate results.  Regardless of your preference, IPFIX supports both flow and packet sampling technologies and sFlow does not.

The future is IPFIX

The bottom line: IPFIX has all of the benefits of both sFlow and NetFlow, it is own by the Internet community and it scales dramatically depending on the vendor implementation (I.e. can the tuple be modified).  If you are looking for information on vendors supporting IPFIX or sFlow, we maintain a page with all of these details.  If you’re wondering about the future of sFlow (i.e. sFlow v6), in all likelihood it is probably going to be IPFIX.

 

James Dougherty

James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support!

Let me know if you have any questions, I would be happy to help.

- Jimmy D

Related

4 comments on “sFlow Vs IPFIX

  1. Jimmy,

    Since this article is advice aimed at switch vendors, I would like to offer a correction. You stated that sFlow requires a hardware chip from InMon, this is not correct. InMon does not make chips. The sFlow instrumentation has been implemented by merchant silicon vendors (Broadcom, Intel, Marvell) and is included in their switch ASICs.

    http://blog.sflow.com/2013/04/merchant-silicon-competition.html

    If you are a switch vendor using merchant silicon, then it is very likely that you already have built-in sFlow support. Enabling sFlow is simply a matter of porting the open source sFlow agent software to your platform – the software can be found on sFlow.org. Also check with your merchant silicon vendor, they may have done the work for you.

    Peter

  2. What hardware works with your software/application?

    I have Cisco ASA switch, and Cat 3750G user switches – will these work?

    Thanks,
    Cliff

  3. Hi Cliff,

    Yes, Scrutinizer supports the Cisco ASA. I’m not familiar with the Cat 3750’G’ but, I’m confident it will work with Scrutinizer.

    Hi Peter,

    Funny, you caught Jimmy in the same correction we have made on you several times. Yes, sFlow can be supported in software just as NetFlow/IPFIX is supported in hardware and is by several vendors.

    We are finding that some vendors are beginning to abandon sFlow in favor of the newly ratified IPFIX standard for all true flow technologies. (I.e. sFlow v6 = IPFIX).

Comments are closed.