Netflow – Netflow vs Sampled Netflow

cisco-nexuscisco-nexus-5kmirrormonitoringnetflow

I'm working on a project where I could need Nexus 5600. These switches support sampled netflow and not netflow. I would like to use netflow to do stats and to analyze trafic at some specific times.

Is sampled netflow good for watching trafic at a time where I underwent a problem?
I mean, as it exports just a rate of packets, I won't have a good view of the amount of trafic that passed really?

I'm hesistating between sampled netflow and SPAN with a netflow 3000 appliance. It could be a good solution too but the switch can just handle 2 sessions?

What do you recommend?

Best Answer

For traffic analysis sampled netflow is often used, because 1:1 sampling (or non-sampled) netflow can be quite a burden on both the router sending the flow data and on the flow receiver. Most setups I've seen use a sampling rate varying from 1:100 upto 1:4000 (depending on the size of the network and the amount of traffic pushed), and they're perfectly able to do traffic anomaly analysis (DDoS detection) or even customer usage billing with that.

Related Solutions

Cisco – ASA Netflow support

Our ASAs (version 8.2(x)) send to a SolarWinds Orion collector using Netflow version 9. We didn't have to do anything special to get it to work. SolarWinds has a doc with a good explanation of the differences between "normal" and "ASA" Netflow here: http://www.solarwinds.com/documentation/Netflow/docs/understandingciscoasanetflow.pdf.

If it helps here is a sample configuration:

access-list flow_export_acl extended permit ip any any
flow-export destination inside collector_IP_address 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
class-map flow_export_class
 match access-list flow_export_acl
 description Netflow
 class flow_export_class
  flow-export event-type all destination collector_IP-address

The difference between netFlow and sFlow

NetFlow is a protocol for exporting aggregated IP flow totals. As such it is well suited to IP traffic accounting on Internet routers. With Netflow V9 (AKA IPFIX it can look into Layer 2 traffic as well)

sFlow is a general purpose network traffic measurement system technology. sFlow is designed to be embedded in any network device and to provide continuous statistics on any protocol (L2, L3, L4, and up to L7), so that all traffic throughout a network can be accurately characterized and monitored. These statistics are essential for congestion control, troubleshooting, security surveillance, network planning etc. They can also be used for IP accounting purposes.

Netflow mirrors all traffic, and places a load on the CPU when utilised.

SFlow is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector. sFlow is built into the ASIC, and places minimal load on the CPU.

Netflow supported by Cisco, Juniper, Alcatel Lucent, Huawei, Enterasys, Nortel, VMWare

sFlow supported by Alaxala, Alcatel Lucent, Allied Telesis, Arista Networks, Brocade, Cisco, Dell, D-Link, Enterasys, Extreme, Fortinet, Hewlett-Packard, Hitachi, Huawei, IBM, Juniper, LG-Ericsson, Mellanox, MRV, NEC, Netgear, Proxim Wireless, Quanta Computer, Vyatta, ZTE and ZyXEL (see sFlow link)

Best Answer

Related Solutions

Cisco – ASA Netflow support

The difference between netFlow and sFlow

Related Topic