On Sat, Sep 22, 2012 at 4:41 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
You have misinterpreted what I said. I was saying that flow telemetry of any variety must be exported from edge devices, which in most cases are routers (in some cases layer-3 switches), in response to your 'move it out of the router' comment.
I am sorry I misunderstood your comment, I agree that it is important to gather telemetry directly from your edge devices. The comment "move it out of the router" referred to the location of the flow-cache in the following scenario. On Thu, Sep 20, 2012 at 11:21 AM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
Most of the platforms I know of do sampled netflow at 1:100-1:1000 or so, and then I don't really see the fundamental difference in doing the flow analysis on the router itself (classic netflow) or doing the same but at the sFlow collector.
In both cases the router is generating the telemetry, in the netflow case, packets are sampled on the router, the router builds flow records based on the contents of the sampled packets, and the flow records are exported. In the sFlow case, the raw sampled packet headers are exported to external software which builds flow records. In both cases the router is making the primary measurements and you end up with the same measurements. On Fri, Sep 21, 2012 at 10:02 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Actually, moving it out of the router creates huge problems and destroys a lot of the value of the flow telemetry - it nullifies your ability to traceback where traffic is ingressing your network, which is key for both security as well as traffic engineering, peering analysis, etc.
It is far, far better to get your flow telemetry from your various edge routers, if at all possible, rather that probes. Scales better, too - and is less expensive in terms of both capex and opex.
I agree completely, probes are expensive, difficult to manage and can't accurately tell you how the traffic passed through the router.