mag72

Netflow vs sFlow? Whats the Difference

Netflow vs Sflow – Learn the differences between the two Network Analysis Protocols

Netflow vs sFlow, whats the difference between these to flow protocols and which one should you be using? We get this question all the time, so we figured we give a quick analysis and rundown of the two flow export protocols to show you some of the main differences between them.

As we've mentioned in the What is Netflow article, Netflow is Cisco's proprietary protocol that is present in Cisco switches and routers that enables the network devices to export IP Flow data to a collector/analyzer to be collected, processed and further dissected by network engineers or administrators. This gives Network Engineers/Admins a granular view of what and who is using up network resources as well as source/destination information. One of the most notable differences between Netflow vs sFlow is that Netflow is restricted to IP traffic only – this is where sFlow has the greater advantage in terms of analyzation, as it can collect, monitor and analzye traffic from OSI Layers 2, 3, 4, 5, 6 and 7.

On the other hand, sFlow was developed to be compatible on many different platforms of switches and routers, unlike Netflow which is only available for Cisco hardware and other select manufacturers, including Juniper, Alcatel Lucent, Huawei, Enterasys, Nortel and VMWare. Making a flow protocol that was open to multiple hardware vendors has allowed sFlow to grow in popularity as it started to become integrated into a range of different network routers and Layer 2 Switches.

Sflow is supported by the following hardware manufacturers (this list is updated as of 2016):

A10 Networks, ADARA Networks, Aerohive, AlaxalA Networks, Alcatel-Lucent Enterprise, Allied Telesis, Arista Networks, AT&T, Aruba, Big Switch Networks, Black Box Network Services, Brocade, Cameo Communications, Cisco, Comtec Systems, Cumulus Networks, Dax Networks, Digital China Networks (DCN), Dell, D-Link, DrayTek Corp., Edge-Core Networks, Enterasys, Extreme Networks, F5, Fortinet, Gambit Communications, Hewlett-Packard, Hitachi, Host sFlow, Huawei, IBM, InMon Corp., IP Infusion, ITS Express, Juniper Networks, LANCOM Systems, LevelOne, LG-ERICSSON, Maipu, Mellanox, MRV, NEC, NETGEAR, Nevion, Open vSwitch, Overture Networks, Pica8, Plexxi, Pluribus Networks, Proxim Wireless, Quanta Computer, Radisys Corporation, Silicom Ltd., SMC Networks, Themis Computer, Vyatta, Xenya, XRoads Networks, ZTE, ZyXEL.

Differences between Netflow vs SFlow

Some of the key differences of Netflow vs Sflow are highlight in the table below:

NetflowsFlow
Available on Different
hardware vendors?
No – Only available
on Cisco Routers/Switches
Yes – Widespread use
of sFlow has been adopted
by various hardware vendors.
Packet CapturingNot SupportedPartially Function –
Interface CountersNot SupportedFully Supported
Protocol Support:
IP/ICMP/UDP/TCPFully SupportedFully Supported
Ethernet/802.3Not SupportedFully Supported
Packet HeadersNot SupportedFully Supported
IPXNot SupportedFully Supported
AppletalkNot SupportedFully Supported
Input/Output InterfacesFully SupportedFully Supported
Input/Output PriorityNot SupportedFully Supported
Input/Output VLANNot SupportedFully Supported
Source & Destination
Subnet/Prefix
Fully SupportedFully Supported
Next hopFully SupportedFully Supported
BGP 4 Information:
Source AS
(Autonomous Sys.)
Partially SupportedFully Supported
Source Peer AS
(Autonomous Sys.)
Partially SupportedFully Supported
Destination AS
(Autonomous Sys.)
Partially SupportedFully Supported
Destination Peer AS
(Autonomous Sys.)
Partially SupportedFully Supported
CommunitiesNot SupportedFully Supported
AS PathNot SupportedFully Supported
Real-time
Data Collection
Partially SupportedFully Supported
Configure w/o SNMP?Fully SupportedFully Supported
Configure w/ SNMP?Not SupportedFully Supported
Scalability of Traffic
Collecting/Analzying
Not SupportedFully Supported
Low Cost?Cisco Hardware is ExpensiveOpen to Multiple Lower
Cost hardware vendors.
Wire Speed
Collection/Analysis
Partially SupportedFully Supported

Table via sFlow.org

As you can see, the features of SFlow outweigh those of Netflow fairly largely, especially when it comes to large scale analysis of flow traffic. The scalability of sFlow in a enterprise environment allows for network-wide views of the an infrasture from a single location, giving you the ability to collect, store and analyze network traffic from thousands for network devices.

Nevertheless, if you are using Cisco equipment, including Switches, Firewalls and Routers, you are limited to using Netflow for traffic collection and such. Netflow is also enabled on several other hardware vendor brands including 3com, Adtran, Juniper Networks, Riverbed, Enterasys Networks, Extreme Networks and Foundry Networks devices. Cisco did not include netflow capabilities on network devices in the 2900, 3500, 3660, 3750 series.

Another added benefit of SFlow is the detailed information you can program to receive from each datagram, which includes information from Layers 2 through 7 of the OSI model. Many of you may be thinking that this will add unnecessary overhead on the network, but due to how the sFlow Agent design and integration into the hardware itself, you receive data at wire speeds without the worry of “clipping” under heavier loads. Netflow will simply mirror all the traffic which could eventually cause a lot of network overhead.

As more network device hardware vendors come into the industry, sFlow and other Flow protocols will become more widely used since Netflow cannot be used with any device other than Cisco. At the end of the day, the Netflow vs. sFlow debate is mainly focused on which hardware vendor your planning on using and what kind of flow/traffic information you want to collect, monitor and analyze within your network.