Re: Sampling used for accounting -- was: RE: NetFlow

From: Avi Freedman (freedman@freedman.net)
Date: Wed May 30 2001 - 23:39:50 EDT

Next message: David Murphy: "[j-nsp] ospf on trunk interface"
Previous message: Brown, Mike: "Sampling used for accounting -- was: RE: NetFlow"
Next in thread: Matt Ranney: "Re: Sampling used for accounting -- was: RE: NetFlow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

I believe ANS did some rigorous studies with their IBM routers...
I'd be curious to peek if anyone has URLs...

Avi

> Jeremy,
>
> I'm intrigued by your comment that "... it's been statistically proven that
> sampled netflow
> is perfectly adequate for determining traffic patterns as well as accounting
> usage."
>
> Can you provide any references or other information to the analyses of the
> accuracy of sampling for accounting?
>
> Regards,
> Mike
>
> -----Original Message-----
> From: Jeremy Noetzelman [mailto:jnoetzel@cac.washington.edu]
> Sent: Wednesday, May 30, 2001 7:19 PM
> To: Jonathan Tse
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: NetFlow
>
>
> Both Cisco and Juniper require sampling at higher line rates. Juniper
> doesn't provide full netflow ever, they always require sampling.
>
> Remember, netflow, sampled or not, is hard on the router CPU. So at
> higher line rates, if you attempt full unsampled netflow, your router will
> keel over from the load. Sampling was introduced to allow you to gather
> netflow data at line rates that are too high for unsampled netflow. A GSR
> can monitor full line rate OC3 just as easily as a VXR. It's just a
> matter of how much traffic before your box keels over.
>
> We initially didn't like the idea of sampling, as we use netflow for
> things that must be very accurate. However, after several discussions
> with Statistics PhDs, it's been statistically proven that sampled netflow
> is perfectly adequate for determining traffic patterns as well as
> accounting usage.
>
> We were able to sample in excess of 8000 packets per second with the M10,
> but ymmv. Considering we will need to get netflow data for OC192 lines,
> full netflow is just not an option on the routers themselves. The new
> Foundry product I mentioned may also be of interest, we certainly like
> that concept.
>
> What line rates are you looking to monitor?
>
> J
>
> On Thu, 31 May 2001, Jonathan Tse wrote:
>
> > But if the "7000 packet per second" sampling is true for juniper. Assume
> > average packet size is 1000Bytes. The juniper is able to monitor 50-60Mbps
> > traffic only. Or GSR is not as good as VXR in this part?
> >
> > Jonathan.
> >
> > ----- Original Message -----
> > From: "Jeremy Noetzelman" <jnoetzel@cac.washington.edu>
> > To: "Jonathan Tse" <jonathantse@pacific.net.sg>
> > Cc: <juniper-nsp@puck.nether.net>
> > Sent: Thursday, May 31, 2001 8:02 AM
> > Subject: Re: NetFlow
> >
> >
> > > Sorry, I should have clarified. The head to head tests were with the
> GSR
> > > doing sampling at the same 1/X rate as the M10.
> > >
> > > Regarding the maximum capture rate for the VXR, it'll handle OC3, since
> > > that's the largest line we use them for. One of our OC3's routinely
> gets
> > > up to 120-130mb/s with no netflow loss.
> > >
> > > Jeremy
> > >
> > > On Thu, 31 May 2001, Jonathan Tse wrote:
> > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Jeremy Noetzelman" <jnoetzel@cac.washington.edu>
> > > > To: "Matt Ranney" <mjr@ranney.com>
> > > > Cc: <juniper-nsp@puck.nether.net>
> > > > Sent: Wednesday, May 30, 2001 11:47 PM
> > > > Subject: Re: NetFlow
> > > >
> > > >
> > > > > It is somewhat important to note that Cisco NetFlow can't keep up
> with
> > > > > full sampling at higher line rates. We've run extensive tests using
> > GSR's
> > > >
> > > > But it is apple to orange, isn't it? Comparing GSR full capture with
> > M10's
> > > > sampling? Or did I miss something?
> > > >
> > > > Any idea of the maximum capture rate of VXR?
> > > >
> > > > Thanks.
> > > >
> > > > Jonathan.
> > > >
> > > >
> > >
> >
> >
>
>
> ------_=_NextPart_001_01C0E97B.9AAC0D70
> Content-Type: text/html;
> charset="iso-8859-1"
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
> <TITLE>Sampling used for accounting -- was: RE: NetFlow</TITLE>
> </HEAD>
> <BODY>
>
> Jeremy,
> 
>
> I'm intrigued by your comment that "... it's been statistically proven that sampled netflow
> is perfectly adequate for determining traffic patterns as well as accounting usage."
> 
>
> Can you provide any references or other information to the analyses of the accuracy of sampling for accounting?
> 
>
> Regards,
> Mike
> 
>
> -----Original Message-----
> From: Jeremy Noetzelman [<A HREF="mailto:jnoetzel@cac.washington.edu">mailto:jnoetzel@cac.washington.edu</A>]
> Sent: Wednesday, May 30, 2001 7:19 PM
> To: Jonathan Tse
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: NetFlow
> 
> 
>
> Both Cisco and Juniper require sampling at higher line rates.  Juniper
> doesn't provide full netflow ever, they always require sampling.
> 
>
> Remember, netflow, sampled or not, is hard on the router CPU.  So at
> higher line rates, if you attempt full unsampled netflow, your router will
> keel over from the load.  Sampling was introduced to allow you to gather
> netflow data at line rates that are too high for unsampled netflow.  A GSR
> can monitor full line rate OC3 just as easily as a VXR.  It's just a
> matter of how much traffic before your box keels over.
> 
>
> We initially didn't like the idea of sampling, as we use netflow for
> things that must be very accurate.  However, after several discussions
> with Statistics PhDs, it's been statistically proven that sampled netflow
> is perfectly adequate for determining traffic patterns as well as
> accounting usage.
> 
>
> We were able to sample in excess of 8000 packets per second with the M10,
> but ymmv.  Considering we will need to get netflow data for OC192 lines,
> full netflow is just not an option on the routers themselves.  The new
> Foundry product I mentioned may also be of interest, we certainly like
> that concept.
> 
>
> What line rates are you looking to monitor?
> 
>
> J
> 
>
> On Thu, 31 May 2001, Jonathan Tse wrote:
> 
>
> > But if the "7000 packet per second" sampling is true for juniper. Assume
> > average packet size is 1000Bytes. The juniper is able to monitor 50-60Mbps
> > traffic only. Or GSR is not as good as VXR in this part?
> >
> > Jonathan.
> >
> > ----- Original Message -----
> > From: "Jeremy Noetzelman" <jnoetzel@cac.washington.edu>
> > To: "Jonathan Tse" <jonathantse@pacific.net.sg>
> > Cc: <juniper-nsp@puck.nether.net>
> > Sent: Thursday, May 31, 2001 8:02 AM
> > Subject: Re: NetFlow
> >
> >
> > > Sorry, I should have clarified.  The head to head tests were with the GSR
> > > doing sampling at the same 1/X rate as the M10.
> > >
> > > Regarding the maximum capture rate for the VXR, it'll handle OC3, since
> > > that's the largest line we use them for.  One of our OC3's routinely gets
> > > up to 120-130mb/s with no netflow loss.
> > >
> > > Jeremy
> > >
> > > On Thu, 31 May 2001, Jonathan Tse wrote:
> > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Jeremy Noetzelman" <jnoetzel@cac.washington.edu>
> > > > To: "Matt Ranney" <mjr@ranney.com>
> > > > Cc: <juniper-nsp@puck.nether.net>
> > > > Sent: Wednesday, May 30, 2001 11:47 PM
> > > > Subject: Re: NetFlow
> > > >
> > > >
> > > > > It is somewhat important to note that Cisco NetFlow can't keep up with
> > > > > full sampling at higher line rates.  We've run extensive tests using
> > GSR's
> > > >
> > > > But it is apple to orange, isn't it? Comparing GSR full capture with
> > M10's
> > > > sampling? Or did I miss something?
> > > >
> > > > Any idea of the maximum capture rate of VXR?
> > > >
> > > > Thanks.
> > > >
> > > > Jonathan.
> > > >
> > > >
> > >
> >
> >
> 
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C0E97B.9AAC0D70--
>

Next message: David Murphy: "[j-nsp] ospf on trunk interface"
Previous message: Brown, Mike: "Sampling used for accounting -- was: RE: NetFlow"
Next in thread: Matt Ranney: "Re: Sampling used for accounting -- was: RE: NetFlow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT