[187937] in North American Network Operators' Group
Re: sFlow vs netFlow/IPFIX
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Mon Feb 29 07:19:30 2016
X-Original-To: nanog@nanog.org
Date: Mon, 29 Feb 2016 13:17:48 +0100 (CET)
To: saku@ytti.fi
From: sthaug@nethelp.no
In-Reply-To: <CAAeewD8-xAZM1sXgRy8EpSz490oC2H-z2hugZuT_bpAXi_4Egw@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> > That's interesting, given that most larger routers don't support 1:1.
>
> I find that strange, because if you're doing in in HW, doing hash
> lookup for flow and adding packets and bytes to the counter is cheap.
> It's expensive having lot of those flows, but incrementing their
> packet and byte counter isn't.
>
> I know that all JNPR Trio kit (MX, T, EX9k...) do 1:1. I guess if
> you're doing it in LC CPU things are very different.
A relevant question might be if the Trio hardware can do 1:1 while
handling multiple ports of line rate DDoS traffic consisting of small
packets with different port numbers (i.e. high pps traffic resulting
in basically 1 flow per packet). No, I don't know the answer (but I
suspect it might be negative).
Here we're using Trio hardware with 1:100 sampling, and are reasonably
happy with the results.
Steinar Haug, AS2116
