Re: flow analysis for juniper devices

[Paolo Lucente <pl+list () pmacct net>]

On Sat, Nov 13, 2010 at 09:17:55PM -0600, Richard A Steenbergen wrote:

> Oh and the sFlow on EX is actually pretty cripled when used for routing. 
> It's missing support for a bunch of important extended message tpes, and 
> doesn't fully populate all of the fields of the message types it does 
> send. For example you won't get any data on ASNs, nexthops, dest 
> ifindexes, or even netmasks of the src/dst route the flow matched, 
> making it pretty darn useless for a lot of tasks. It's functional if 
> you're just analyzing L2 networks at any rate.

Agree people spend some money and hence tend to expect something in
return. But it's also true those good souls developing free collectors
(to stay in topic with the OP) sometimes come to the rescue: ASNs, BGP
next-hop, routes, netmasks can be all looked up at the collector at
pretty no major effort. Variety of methods available depending on the
collector, in place or a posteriori, file or BGP lookup - it's matter
of selecting what fits better the specific job.

Plus, sFlow flow samples are rather successful offsetting some partial
vendor implementations by carrying portion of the sampled packet - in
one go MAC addresses, VLANs, 802.1p, MPLS labels, EXP bits, BoS, etc.
are at the collector doorstep.

OTOH it would be nice to see one day those NetFlow v9 MAC address fields
populated on higher-grade boxes, say, to facilitate analysis of public
peering at internet exchanges ...

Cheers,
Paolo