nanog mailing list archives
Re: Real world sflow vs netflow?
From: Peter Phaal <peter.phaal () gmail com>
Date: Sat, 22 Sep 2012 21:43:01 -0700
On Sat, Sep 22, 2012 at 4:41 PM, Dobbins, Roland <rdobbins () arbor net> wrote:
You have misinterpreted what I said. I was saying that flow telemetry of any variety must be exported from edge devices, which in most cases are routers (in some cases layer-3 switches), in response to your 'move it out of the router' comment.
I am sorry I misunderstood your comment, I agree that it is important to gather telemetry directly from your edge devices. The comment "move it out of the router" referred to the location of the flow-cache in the following scenario. On Thu, Sep 20, 2012 at 11:21 AM, Mikael Abrahamsson <swmike () swm pp se> wrote:
Most of the platforms I know of do sampled netflow at 1:100-1:1000 or so, and then I don't really see the fundamental difference in doing the flow analysis on the router itself (classic netflow) or doing the same but at the sFlow collector.
In both cases the router is generating the telemetry, in the netflow case, packets are sampled on the router, the router builds flow records based on the contents of the sampled packets, and the flow records are exported. In the sFlow case, the raw sampled packet headers are exported to external software which builds flow records. In both cases the router is making the primary measurements and you end up with the same measurements. On Fri, Sep 21, 2012 at 10:02 PM, Dobbins, Roland <rdobbins () arbor net> wrote:
Actually, moving it out of the router creates huge problems and destroys a lot of the value of the flow telemetry - it nullifies your ability to traceback where traffic is ingressing your network, which is key for both security as well as traffic engineering, peering analysis, etc. It is far, far better to get your flow telemetry from your various edge routers, if at all possible, rather that probes. Scales better, too - and is less expensive in terms of both capex and opex.
I agree completely, probes are expensive, difficult to manage and can't accurately tell you how the traffic passed through the router.
Current thread:
- Re: Real world sflow vs netflow? Peter Phaal (Sep 20)
- Re: Real world sflow vs netflow? Nick Hilliard (Sep 20)
- Re: Real world sflow vs netflow? Mikael Abrahamsson (Sep 20)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 21)
- Re: Real world sflow vs netflow? Dobbins, Roland (Sep 21)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 22)
- Re: Real world sflow vs netflow? Dobbins, Roland (Sep 22)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 22)
- Re: Real world sflow vs netflow? Danny McPherson (Sep 23)
- Re: Real world sflow vs netflow? Dobbins, Roland (Sep 23)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 23)
- Re: Real world sflow vs netflow? Dobbins, Roland (Sep 23)
- Re: Real world sflow vs netflow? Joe Loiacono (Sep 24)
- Re: Real world sflow vs netflow? Jeroen Massar (Sep 24)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 24)
- Re: Real world sflow vs netflow? Joe Loiacono (Sep 24)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 24)
- Re: Real world sflow vs netflow? Richard A Steenbergen (Sep 24)
- Re: Real world sflow vs netflow? Peter Phaal (Sep 21)