[183398] in North American Network Operators' Group
Re: NetFlow - path from Routers to Collector
daemon@ATHENA.MIT.EDU (Avi Freedman)
Tue Sep 1 13:56:49 2015
X-Original-To: nanog@nanog.org
To: jared@puck.Nether.net (Jared Mauch)
Date: Tue, 1 Sep 2015 13:55:47 -0400 (EDT)
From: freedman@freedman.net (Avi Freedman)
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Looking at probably 100 networks' flow paths over the last year,
I'd say 1 or 2 have OOB for flow.
Maybe another 10-20 have interest in taking simpler time series
data of top talkers over their OOB networks, but not the flow
itself.
Agree w Roland that it can cause problems with telemetry if
there are big network misconfigs. But for folks seeing DDoS,
we implement rate-limiting of the flows/sec via local proxies
to avoid overwhelming network capacity with the flow data...
Avi
> I think the key here is that Roland isn't often constrained by
> these financial considerations.
>
> I would respectfully disagree with Roland here and agree with
> Job, Niels, etc.
>
> A few networks have robust out of band networks, but most
> I've seen have an interesting mixture of things and inband is usually
> the best method.
>
> Those that do have "seperate" networks may actually be CoC
> services from another deparment in the same company riding the same
> P/PE devices (sometimes routers).
>
> I've seen oob networks on DSL, datacenter wifi or cable swaps
> through the fence to an adjacent rack.
>
> An oob network need not be high bandwidth enough to do netflow
> sampling, this is well regarded as a waste of money by many as the costs
> for these can often be orders of magnitude more compared to a pure-IP
> or internet service.
>
> I'll say this ranks up there with people who think
> MPLS VPN == Encryption. It's not unless you think a few byte
> label is going to confuse people.
>
> - Jared
