In any given network, switches, routers, and firewalls may support different flow protocols. After all, there’s NetFlow, sFlow, IPFIX, and J-Flow, to name a few.
With so many options, you may be wondering “Which flow protocol should I use?”
It’s a common question, and it has a relatively simple answer: While some devices support multiple protocols, a device typically only supports one type of flow protocol, so you should use the protocol your device and collector supports.
Two of the most common flow protocols you’ll run into are NetFlow and sFlow, and there are some differences between the two to keep in mind.
What is NetFlow?
We broke down the basics about NetFlow in an article covering its history, evolution, inner workings, and benefits. Here’s the Cliffs Notes version of the article.
Introduced in Cisco routers in 1995, NetFlow originally was designed as a software-based technique to summarize network flow data for packets routed over Cisco equipment.
As time passed, Cisco realized having network flow data was useful, and began implementing it in network hardware. Over time, NetFlow became the de facto industry standard that other vendors have imitated. For example, Juniper has J-Flow, Huawei has NetStream, and multiple vendors use sFlow (which we’ll discuss shortly).
Today, NetFlow is a Layer 3 protocol that, over time, processes all IP packets as they enter or exit an interface on a router or a firewall. NetFlow analyzes the traffic and generates metadata that network administrators can use to see how much traffic is being generated, by whom, and where that traffic is going.
Currently, there are multiple versions of NetFlow that can be configured on a device, with the most common being NetFlow v5 and v9. The main difference between the two versions is NetFlow v9 has “empty” fields, meaning the user can add custom information—like user name, country code, or proxy IP—to them. There’s also another popular version called IPFIX (also known as NetFlow v10), which has a strong base built on NetFlow v9.
What is sFlow?
sFlow—which is short for “standard flow”—originated as an industry standard for exporting packets from Layer 2 of the OSI model on switches.
While NetFlow processes all of the packets flowing through the interface on a router or firewall and the metadata is created on the device itself, switches supporting sFlow send a sampling packet of the traffic it’s receiving through its interfaces. With sFlow, the device that receives the sampling packet must generate all the metadata. It’s also important to mention that sampling rate is optional in NetFlow, but it’s mandatory in sFlow.
The sampling packet is—you likely guessed it—one sample of the total number of packets passing through the interface. To determine when a packet is selected, you use a sampling rate, which is expressed in the format 1:X. By setting a sampling rate, you’re telling your device to sample one out of every X number of packets that pass through the interface and send it to the collector.
Which sampling rate should you use on your devices?
While flow data from protocols like NetFlow and sFlow are typically a very light load—usually less than 0.5% of total bandwidth consumption—you can use sampling to lower CPU utilization (and bandwidth, to a lesser extent). The trade-off is you’ll lose a bit of granularity in your data.
For Auvik TrafficInsights™, which supports both NetFlow and sFlow, these are the sampling rates we like to use:
|Data volume (95th percentile)||Recommended sampling rate|
|< 25 Mb/s||1 in 1|
|< 100 Mb/s||1 in 128|
|< 400 Mb/s||1 in 256|
|< 1 Gb/s||1 in 512|
|< 5 Gb/s||1 in 1024|
|< 25 Gb/s||1 in 2048|
sFlow, based on its mandatory sampling structure, is recommended on bigger networks with high traffic volumes. But, if your device supports applied samples of 1:256 or lower, it doesn’t matter which flow protocol you choose to use—feel free to use whichever one you’re most comfortable with.