[c-nsp] 6k Netflow To Be or Not To Be...
Mack McBride
mack.mcbride at viawest.com
Tue Nov 15 10:05:56 EST 2011
It is hard to give exact figures for traffic levels because every network is different.
The following are based on my experience with a general hosting centric traffic pattern.
Streaming media will generally allow higher BW to be achieved before overflow.
Below 5G you are unlikely to overflow (given a certain amount of tuning).
Above 10G you are almost certain to overflow (no matter how you tune it).
Of course if traffic is atypical (attack or not just web traffic) all bets are off.
Having said all of that, netflow is lousy for traffic billing on the EARL7.
Of course any traffic billing based on netflow should guarantee that the collection server
doesn't drop packets since they don't get re-sent. Unless flow counts are fairly low
netflow is not a good billing model for most applications since there is no guarantee against underbilling.
For security, even the somewhat lacking netflow on the EARL7 is good but not great.
It should definitely be supplemented by other data sources such as SPAN or taps.
For general traffic patterns it is very good, primarily because these are estimates anyway.
Mack
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: Tuesday, November 15, 2011 1:32 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6k Netflow To Be or Not To Be...
On 11/15/2011 03:25 AM, Dobbins, Roland wrote:
>
> On Nov 15, 2011, at 5:57 AM, Nick Hilliard wrote:
>
>> pfc3 netflow is fine if you need to measure traffic ratios or
>> protocol spread.
>
> Actually, in any kind of diverse source/dest/layer-4 environment, it
> isn't, due to non-deterministic statistical skewing due to mls table
> overflow.
IF you overflow.
Some (perhaps relatively small or quiet) networks can run without overflowing, or with only very occasional overflows. We do.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list