nanog mailing list archives

Re: sFlow vs netFlow/IPFIX

From: Saku Ytti <saku () ytti fi>
Date: Mon, 29 Feb 2016 14:41:03 +0200

On 29 February 2016 at 14:17,  <sthaug () nethelp no> wrote:

A relevant question might be if the Trio hardware can do 1:1 while
handling multiple ports of line rate DDoS traffic consisting of small
packets with different port numbers (i.e. high pps traffic resulting
in basically 1 flow per packet). No, I don't know the answer (but I
suspect it might be negative).


I cannot see why not, it's cheap. You're doing 1-2 LPM on the packet,
QoS lookup, ACL lookup, incrementing various counters, etc., adding
one hash lookup and two counters is not going to be relevant cost to
the lookup time.

Having many entries in the hash table is an issue, incrementing their
counters is not.

Here we're using Trio hardware with 1:100 sampling, and are reasonably
happy with the results.


-- 
  ++ytti

Current thread:

Re: sFlow vs netFlow/IPFIX, (continued)
- - - Re: sFlow vs netFlow/IPFIX Edward Dore (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Pavel Odintsov (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Edward Dore (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Pavel Odintsov (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Nick Hilliard (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Nick Hilliard (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Nikolay Shopik (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Pavel Odintsov (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Saku Ytti (Feb 29)
    - Re: sFlow vs netFlow/IPFIX sthaug (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Saku Ytti (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Nick Hilliard (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Saku Ytti (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Phil Bedard (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Saku Ytti (Feb 29)
    - Re: sFlow vs netFlow/IPFIX Avi Freedman (Feb 28)
- RE: sFlow vs netFlow/IPFIX Phil Bedard (Feb 28)
- Re: sFlow vs netFlow/IPFIX Avi Freedman (Feb 28)
- Re: sFlow vs netFlow/IPFIX Saku Ytti (Feb 29)