nanog mailing list archives

Re: DDOS, IDS, RTBH, and Rate limiting


From: freedman () freedman net (Avi Freedman)
Date: Sat, 22 Nov 2014 10:49:32 -0500 (EST)


On the contrary - SPAN nee port mirroring cuts into the
frames-per-second budget of linecards, as the traffic is in essence
being duplicated.  It is not 'free', and it has a profound impact on
the the switch's data-plane traffic forwarding capacity.

Unlike NetFlow.

In hosting case mirroring usually done for uplink port, but i have to 
agree, it might be a problem.

Have you seen any issues with SPANning?  We usually advise something like
a $1k netoptis tap or to be cheaper there are actually $50 fiber cables
with 30/70 taps embedded (so two such, one for RX tap and one for TX tap).

Of course, that only grabs a single 10gig whereas with SPAN you can 
potentially do more - but the issues we've seen across vendors is that
if you try to send more traffic into a SPAN port than its size, bad
things can happen.  Head of line blocking, random congestion, and other
strange failures.

And you trade off potential catastrophic downtime for SPAN-related
network destabilization, for guaranteed downtime to bring links down
to tap them.

"Major" expenses - tuning server according author recommendations, and 
writing shell script that will send to 4948 command to blackhope IP. For 
qualified sysadmin it is 2 hours of work, and $500 max as a "labor" 
cost. Thats it. What can be cheaper than $2000 in this case? I guess i 
wont get answer.

I think the issue is not with your providing the info about fastnetmon,
its genesis, and what you see as the great use cases for it - more around
the statements on flow as an unusable source of data for various purposes.

Things seem to have died down around that though, which is good :)

---
Best regards,
Denys

Avi Freedman    | Your flow has something to show you; can you see it?    |
CEO, CloudHelix | (avi at cloudhelix dot com) | my name one word on skype |


Current thread: