As networks get more complex, and higher-speed interconnects are required, in-depth information about the switches serving these networks becomes crucial to maintain quality-of-service, perform billing, and manage traffic in a shared environment.

Some of you reading this blog post may already be familiar with “sFlow,” an industry-standard technology for monitoring high-speed switched networks and obtaining insights about the data traversing them. This blog post will focus on the importance of sFlow and the similar technology, “NetFlow,” in large – and getting larger – data centers.

Comparing sFlow and NetFlow

sFlow and NetFlow are technologies that, by sampling traffic flows between ports on a switch or interfaces on a router, can provide data about network activity, such as uplink load, total bandwidth used, graphs of history, and so on. To take this data and put it into a form that’s easily digestable, there is NfSen, a web-based front-end for these tools.

While sFlow and NetFlow may – at least on the surface – sound the same, they have underlying protocol differences that may be relevant, depending on your use case. sFlow is, as previously stated, an industry-standard technology. This dramatically increases the chances the sFlow agent (the piece of software in your switch or router) can talk to the sFlow collector (a piece of software responsible for collecting and analysing this data, hence the name).

By contrast, NetFlow began life as a Cisco-proprietary protocol, used between their switches, routers, and collectors. It has now spread beyond Cisco, with NetFlow v5 and Netflow v9 becoming standards supported by multiple vendors. Your non-Cisco devices may be compatible with NetFlow, but this is worth checking. Additionally, NetFlow is primarily limited to capturing IP traffic, while sFlow can monitor layer 2 (link layer) traffic as well. Layer 2 traffic includes ARP broadcasts and direct, mac-to-mac traffic on the same VLAN which would not traverse the IP routing stack on the device configured for NetFlow. (This is a bit of an oversimplification – NetFlow can monitor some non-IP traffic like MPLS, but this depends on individual vendor implementation and hardware support.)

sFlow’s broader range of monitoring capabilities make it a good choice when a hard limit on bandwidth or usage is required, such as in a shared hosting environment. If only NetFlow were used, rare corner cases (such as protocols other than IP) would not be caught or analyzed.

NetFlow does have its advantages. One of the most important is the fact that every packet at a particular network location can be sampled. This allows a network administrator to monitor the packets in depth, from the point of view of individual switch ports or VLANs. NetFlow can be used for forensics, as it can capture every single flow, complete with volume information, and aggregate that information before it goes to the collector.

In practice, to achieve high speed, NetFlow will still use sampling. It’s impractical to monitor all packets on every port of a network, as the overhead of doing so would be immense. On a single 10Gb port the rate of packets could be over 800,000 packets per second. Even modern hardware cannot effectively track every packet and every flow at this rate.

Unlike NetFlow, sFlow uses a different sampling approach. Where NetFLow can capture 100 per cent of traffic at a few selected locations, sFlow randomly samples 1 packet out of every n packets.

This means that sFlow isn’t capable of collecting all packets in a given data stream. In this approach, general trends about network data, like usage graphs, can be observed; but fine-level data can’t be obtained in this manner. On the plus side, this randomized sampling allows for much faster data collection and analysis.

Colocation Concerns

As data centers and cloud providers merge, it’s increasingly common that multiple tenants will share rack space with each other. This is doubly true in cloud VPS environments, where many tenants may share 1U of rack space in the form of virtual servers.

Using a tool like sFlow or NetFlow, the provider can bill these tenants for the bandwidth and/or speed used. These tools can also be used to detect suspicious activity, and provide graphs and statistics of usage over time. These are essential for bandwidth management and appropriate resource allocation.

Tools like this may be familiar to those responsible for regulating power usage in a data center, especially in colocation, where a tenant is provided a certain amount of power usage. These technologies are much like that, except in the domain of network packets rather than electrical power. As mentioned previously, NetFlow and sFlow can integrate with a web-based front-end called NfSen, allowing individual tenants a deep dive into their own network traffic. This is independent of any monitoring systems provided by the data center host (if the tenant owns or rents physical rack space), or the cloud provider (if the tenant is renting compute time in a virtualized arangement).

Because sFlow is a widely-adapted standard, extentions to both it and its front-ends are available, providing logging, alerting, and more.

Stop Missing Out

Network monitoring is at the core of network security, billing, and other forms of network management. sFlow and NetFlow are important network monitoring tools. If they’re not already in use in your organization, you’re missing out; both of these tools can have a real-world impact on your network operations, and it’s worth the time to learn how to use them today.

Looking to achieve end-to-end actionable insight from the host to the switch? Learn more about Cumulus NetQ product and stay tuned for more news about NetQ in April 2019.