[187939] in North American Network Operators' Group
Re: sFlow vs netFlow/IPFIX
daemon@ATHENA.MIT.EDU (Saku Ytti)
Mon Feb 29 07:41:06 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20160229.131748.74688177.sthaug@nethelp.no>
Date: Mon, 29 Feb 2016 14:41:03 +0200
From: Saku Ytti <saku@ytti.fi>
To: sthaug@nethelp.no
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 29 February 2016 at 14:17, <sthaug@nethelp.no> wrote:
> A relevant question might be if the Trio hardware can do 1:1 while
> handling multiple ports of line rate DDoS traffic consisting of small
> packets with different port numbers (i.e. high pps traffic resulting
> in basically 1 flow per packet). No, I don't know the answer (but I
> suspect it might be negative).
I cannot see why not, it's cheap. You're doing 1-2 LPM on the packet,
QoS lookup, ACL lookup, incrementing various counters, etc., adding
one hash lookup and two counters is not going to be relevant cost to
the lookup time.
Having many entries in the hash table is an issue, incrementing their
counters is not.
> Here we're using Trio hardware with 1:100 sampling, and are reasonably
> happy with the results.
--
++ytti
