Page 1 of 1
[Feature Request] sFlow
Posted: Wed Oct 11, 2017 4:47 pm
by Cha0s
Please add sFlow support.
http://www.sflow.org/sFlowOverview.pdf
I know there is currently NetFlow/IPFIX support, but both protocols are very limiting when it comes to
realtime monitoring or more importantly realtime acting on exported flows (ie: DDoS detection)
Re: [Feature Request] sFlow
Posted: Mon Oct 16, 2017 11:40 pm
by berlo
If you need do DDoS detection best is to put on top or behind a crs317 switch and setup port mirroring.
You can monitor mirrored traffic in real time.
Re: [Feature Request] sFlow
Posted: Mon Oct 16, 2017 11:42 pm
by Cha0s
Yes I know that. This solution does not scale at all.
It's not easy nor cheap to mirror multiple 10gbit pipes from your edge to a central location for monitoring/management.
Re: [Feature Request] sFlow
Posted: Mon Oct 16, 2017 11:49 pm
by berlo
CRS317 is within 250 price range, not something unsustainable and you get 16 10gig port on dual power supply.
If you're running multiple 10gig ports you have ccr1072. The only chance to absorb DDoS attack is keeping it on fast path. If you use fastrack or filter in raw you will see unfiltere package in slow path and your router will die with little attacks.
If you want deal DDoS keep border router on routing only (best one for every link) on fastpath and install additional devices for other applications.
Re: [Feature Request] sFlow
Posted: Tue Oct 17, 2017 12:52 am
by Cha0s
What you say is not feasible economically and technically.
Think multiple routers with fiber uplinks in multiple racks, hence multiple CRS317s, multiple SFP modules, multiple NICs in the capture machine, plus lost Us in racks for all that.
Plus you then need a monster of a machine with specific NICs (if you hope to reach wirespeed) just to capture the data and process them. Total mess and totally not a scalable solution.
Not to mention the man-hours just to set up and maintain all this as your network (and routers/uplinks) gets bigger.
All these add up. It's not just '250$' (btw CRS317's suggested price is
399$).
sFlow (or Netflow/IPFIX for that matter) makes monitoring much more economical and manageable. You've got tons of software to work with it and with just a VM (albeit a beefy one) on your already set up cloud infrastructure you can monitor your flows and act upon them. No need for extra hardware or man-hours.
I dunno, maybe it's just me but I
think most CFOs and CTOs would choose sFlow over what you propose
Re: [Feature Request] sFlow
Posted: Tue Oct 17, 2017 12:06 pm
by mhviper
+1 for sflow.
Re: [Feature Request] sFlow
Posted: Sat Jun 02, 2018 11:42 am
by ogekuri
+1 for sflow
Re: [Feature Request] sFlow
Posted: Tue Jun 19, 2018 7:40 pm
by baronkis
+ sflow
Re: [Feature Request] sFlow
Posted: Thu Aug 16, 2018 3:18 pm
by dvk99
+1 sflow
Re: [Feature Request] sFlow
Posted: Wed Aug 29, 2018 9:38 pm
by roysbike
+1 sflow!!
Re: [Feature Request] sFlow
Posted: Thu Sep 13, 2018 3:54 am
by vecernik87
sFlow requires HW support (switchchip / dedicated ASIC). They clearly state it in their overview. It can't be simply added with software update.
Re: [Feature Request] sFlow
Posted: Thu Sep 13, 2018 10:43 am
by Cha0s
Not true.
There is a software implementation that works on Linux.
https://sflow.net/about.php
Re: [Feature Request] sFlow
Posted: Wed Feb 24, 2021 8:58 pm
by kniksc
Sorry for digging out but please... add sFLOW
it's much faster in DDoS detection than NetFlow (mikrotik's Trafic Flow)
Re: [Feature Request] sFlow
Posted: Fri Apr 30, 2021 10:59 am
by idst
+1 sflow, almost in 10G cable routers
Re: [Feature Request] sFlow
Posted: Tue May 17, 2022 3:31 pm
by DigiMasTer
+1 for sflow.
Re: [Feature Request] sFlow
Posted: Sat Jul 15, 2023 12:33 am
by sis
+1 sflow