We work with or have worked with nearly every vendor that exports NetFlow, IPFIX or sFlow; from what we have seen in the market, sFlow is dead or probably more accurately dying a slow death.
The proprietary sFlow initiative is backed by one company: InMon which sells its technology to vendors such as Cisco, Dell, Enterasys, Extreme, Juniper and others. Why then, do these same vendors appear to be making the switch to IPFIX? The reason could be visibility and the fact that IPFIX is the official IETF standard! for both technologies.
In our experience, most customers who collect both NetFlow and sFlow learn quickly that sFlow simply doesn’t provide the same reliable details that a true flow technology like NetFlow and IPFIX does. Although sFlow is intended to be a broader network monitoring technology, many companies rely on it solely for its packet sampling capability. In truth, sFlow is not a flow technology at all.
“Customers often call tech support wondering where all the traffic details are in their sFlow reports. When I tell them that sFlow is only a sampling technology and that it doesn’t represent 100% of the data, I either hear a big sigh of disappointment or a few curses that I’d rather not repeat. People want NetFlow or IPFIX. sFlow simply doesn’t deliver what customers want” Said Justin Jett, Scrutinizer Technical Support – Plixer
Similar to how black and white televisions stuck around for years after color was introduced, sFlow will linger on for years to come. Today, the consumer base has spoken, the vendors have responded and sFlow will slowly die out but, it will take time. Even today, switches are still shipping with support for sFlow but, most of these vendors will make the switch to IPFIX even if it means a sampled export.
I’d rather look at the death of sFlow another way. InMon hasn’t released a new version of sFlow in years. The last version was v5. Because the IETF made provisions in IPFIX to sample packets and other metrics that we see in sFlow, we can in a sense consider IPFIX to be sFlow v6, just as many consider IPFIX to be NetFlow v10.
NetFlow vs. sFlow
There have been several NetFlow vs. sFlow debates over the years:
“Most customers that I’ve talked to, and there have been hundreds over the years, want sFlow to ‘just behave like NetFlow’. In fact many customers, when faced with the prospect of sampled data, will deploy NetFlow generators (sometimes called ‘flow probes’) such as nBox or
Cisco’s NGA to create NetFlow based on SPAN ports rather than deal with the difficulties sFlow presents.”
This reoccurring discussion will finally R.I.P. The legacy of NetFlow and sFlow will live on as IPFIX.
IPFIX can provide 100% representation of all individual connections that travel through an observation point (e.g. router, firewall, switch, probe or server). Vendors like Cisco, Dell SonicWALL and nBox are using it to export unique metrics such as latency, retransmits, packet loss, jitter, HTTP Host, URLs, TCP window size, transaction duration and much more. It provides all the functionality of NetFlow and sFlow AND it is owned by the Internet community. A few vendors such as Cisco, Dell, Enterasys, Extreme and Juniper have marketed different hardware that supports either NetFlow (IPFIX) or sFlow. Their support for sFlow is generally on the cheaper switches and eventually the marketing for the sFlow hardware seemed to fizzle out.
I support customers every day and in my opinion, vendors contemplating whether to implement IPFIX vs. sFlow need to wake up: sFlow is dead.
UPDATE: 3/21/2016 – Although this post is a little long in the tooth it still does make a good point. In today’s security focused world you really do need to have complete viability into your networks traffic. That is where technology, like NetFlow comes in. If you have a sFlow device that you need visibility from I recommend using FlowPro to generate IPFIX/NetFlow traffic.