[183416] in North American Network Operators' Group
Re: NetFlow - path from Routers to Collector
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Sep 1 18:52:35 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <633792AF-4247-49D4-B17A-DF4A0D923FB3@arbor.net>
Date: Tue, 1 Sep 2015 18:49:22 -0400
To: Roland Dobbins <rdobbins@arbor.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Sep 1, 2015, at 6:37 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
>=20
> On 2 Sep 2015, at 3:34, Nick Hilliard wrote:
>=20
>> If you want to handle netflow data export for large amounts of =
traffic, it
>> would be pretty dumb to push it through the management plane of the =
router.
>=20
> Concur 100%. You must use a port capable of doing so.
My experience in running large networks is these ports often can=E2=80=99t=
handle the traffic
involved.
The packet path in a juniper (for example to go from the PFE -> RE -> =
Ethernet) is very
sensitive to the jitter introduced by increased traffic loads and may =
result in the box
becoming unstable.
Other platforms (e.g.: IOS-XR based) have issues with the MgmtEther =
interfaces
which make them inoperable for many use-cases. There are many technical =
details
that are easily overlooked by those not using the routers to their =
abilities, so
a small network (as Wes mentioned before with 2500s/T1s) still as OOB is =
unlikely to see
data rates comparable to what is seen from a large router exporting data =
from hundreds of
gigs of flows.
Often net flow vendors tell customers things that create more flow =
records
which equals slightly higher data resolution but no actual net =
difference=20
in results except for the lowest of bitrates. =20
Making sure your flow implementation is optimized (ingress only, =
relevant links only)
is one part of having it scale. I=E2=80=99ve seen many a solution that =
scales poorly
or requires dozens of boxes for datasets that don=E2=80=99t require it. =
It=E2=80=99s
easy to say over specify for an attack because of the =E2=80=9CThink of =
the Children^WDDoS=E2=80=9D
mentality that exists, but when you are on the receiving end of a large =
attack
there are better tools to use.
- Jared=
