Traffic monitoring: Asymmetric VLAN vs. Symmetric Interface Sampling

sFlow (Sampled Flow) is a robust technology for monitoring high-speed network traffic similar to Netflow and IPFIX. It works by generating sampled subsets of network packets, providing an efficient and scalable way to analyze traffic. Depending on your configuration, you may notice that sFlow samples from a VLAN (Virtual Local Area Network) are asymmetric, whereas those from a network interface are symmetric. This article explores why this is the case and why we choose VLAN sFlow monitoring.

Table of Contents

  1. Asymmetric Traffic from VLANs
  2. Symmetric Traffic from Interfaces
  3. Reasons for the Difference
  4. Traffic Monitoring

Asymmetric Traffic from VLANs

When sFlow is configured to capture traffic based on VLANs, the samples usually only include ingress traffic—packets coming into the VLAN. Most systems do not sample egress traffic, or packets leaving the VLAN, under this setting. Some systems sample packets leaving VLAN to other VLANs. This renders the sampled data asymmetric, as it only represents traffic in one direction.

Symmetric Traffic from Interfaces

In contrast, sFlow sampling at the network interface level typically captures both ingress and egress traffic. This provides a symmetric view of the network traffic, capturing information on both incoming and outgoing packets through that interface.

Reasons for the Difference

Design Philosophy

The behavior differences between VLAN and interface-based sFlow sampling mainly come down to their intended use-cases and the design philosophy behind sFlow technology. Interface-based sampling is often used for capacity planning and network performance monitoring, where a symmetric view is essential. VLAN-based sampling tends to be more focused on applications like security monitoring, where the ingress traffic is of particular interest.

Hardware Limitations

Some network devices may not support egress sampling at the VLAN level due to hardware limitations. The ASICs (Application-Specific Integrated Circuits) or firmware in some devices may not be designed to handle egress sampling for VLANs.

Ease of Implementation

Implementing symmetric sampling can be more resource-intensive. For this reason, it may be available only for interface-based sampling, where a comprehensive view is generally more crucial.

Specific Use Cases

In some specific scenarios, asymmetric sampling might be a desirable feature. This is especially true when the primary concern is monitoring one direction of the traffic for analysis or security purposes.

Traffic Monitoring

At ServerAstra we employ the best security practices and to achieve higher performance and better view of current flows in the network we use VLAN monitoring. This allows us to provide better performance with reasonable resource usage and results in better pricing for our customers compared to our competitors. In case of interface-based monitoring per megabit price can rise up to 2.5 times.

For technical needs (traffic accounting) we can switch particular clients to interface-based sampling. That will result in review of the contract and pricing. We suggest customers to use own flow monitoring for technical reasons. By understanding the differences between sFlow sampling at the VLAN and interface levels, network administrators can make more informed decisions about their traffic usage.