[c-nsp] (Netflow Vs raw traffic monitoring)

[Kim Onnel]

Hi,

We're new to monitoring traffic on large scale links, At an Internet
service provider,

We've different products on our hands from vendors who do Netflow
collection and analysis and from others who only looks native raw
traffic, and usually using SPAN or Network Taps to get the traffic to
their devices , These devices functions are: DDoS/anomaly detection
and/or Capacity planning/traffic engineering,(Peakflow, Lancope
stealthflow,..)

I would like to put them in comparison, From the technical and
economical prespective,

Right out of my head, due to the nature of the Netflow products, since
they only look at only packets headers, thus they enable me to look at
more number of trunks/links, and they are mobile (ability to move
flows through the network to a remote collector) and above that save
the numbers for later(historical warehouse),

I have never worked with the other type of products(raw traffic ones),
so i dont know how to compare them to the above, i have one vendor in
particular ahead of me (Esphion.com)

Never also worked with Optical taps, and no practical experience with
SPAN, so i dont know of any performance caveats or tricks ?

Assuming a situation where a 6509 with sup2 or a 7609 with sup720 used
as an internet gateway,

Having only Cisco 3500 switches as my downlink to the network
distributing the internet to my PEs, how do i measure up if the switch
fabric of the cascaded 3500 switches will handle the load,

Could we put another switch in between which will relax the Cisco 3500's ?

If a Tap is needed, where to install it and precautions of such setup ?

Any idea of prices of Optical taps, the whole setup ?


Regards,
Ahmed