On Sun, Sep 23, 2012 at 8:16 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Sep 23, 2012, at 7:55 PM, Danny McPherson wrote:
If the *flow generation process is not performed on the router (or otherwise conveyed by some metadata outside of "raw [sampled] packet headers") then you lose visibility to ingress and egress ifIndex (interface) information -- information which is required if/when deploying controls on those systems to squelch various traffic flows.
Thanks, Danny - I guess I should've spelled it out, thanks for clarifying, heh.
It should also be noted that generating the flows directly from the data plane of the router/switch or doing it offboard (as long as sufficient ingress/egress ifindex metadata are collected and exported, as you note) is just an implementation detail - it isn't inherent to s/Flow, NetFlow, IPFIX, et. al. So, claiming this as some kind of advantage for a particular flow telemetry format is a non sequitur.
Exporting packet oriented measurements doesn't mean that you have to loose ingress/egress interface data. In the specific example being discussed (sFlow export), detailed forwarding information from the router forwarding plane is exported with each sampled packet header (full AS-path if you are using BGP). An external flow generator in this case can produce flow records that are identical to those that the device would produce, i.e. include ingress/egress ports. The difference between packet oriented or flow oriented export is an "implementation detail" if your only requirement is to obtain layer IP flow records, but becomes significant if you want to create customized flow records or create packet oriented metrics. Applications for packet oriented metrics mentioned earlier in this thread included route analytics, analysis of ECMP/LAG/TRILL forwarding, packet size distribution vs. DSCP, DDoS mitigation. The problem with having the router perform the flow analysis is that once data is aggregated, it can't be disaggregated. It's like the difference between receiving eggs or an omelette. If you like the omelette, great! But if you wan't a different omelette or would like to poach, boil, scramble or bake your eggs then getting the raw eggs is a lot more versatile.