[c-nsp] 6500 netflow export and the switch cpu
Lubos Pinkava
acm at casablanca.cz
Mon Sep 29 03:02:40 EDT 2008
Hello,
we are using optical splitters and copper media convertors to get
desired traffic into the probes build on Linux with Luca Deri's PF_RING
optimalization and fprobe. It's definitely not bad solution with today's
server performance. For higher speeds & packet rates (let's say over
500kpps with common server hw) it's possible to use hardware accelerated
probes (available interfaces 1GE/10GE) - try:
http://www.invea.cz/main/home/
They also offer tuned multiport sw based probes for a very reasonable
price.
Regards
Lubos
Ivan Gasparik píše v Pá 12. 09. 2008 v 21:32 +0200:
> It depends on the amount of traffic you are planning to analyze.
> In my experience from ISP environment a 3BXL with 256000 netflow
> entries can handle about 3Gb/s of average internet traffic
> without overrunning the netflow cache. But you have to use really
> aggressive timers to force flows time out very quickly and to
> make space for newly created flow entries.
> Big guys would say, move to CRS with 1024000 netflow entries per
> slot and more powerful CPU's ;-)
> I plan to try the way mentioned by you - mirroring traffic to
> some fprobe server. Is here somebody running external server for
> netflow analysis? I would be interrested in your experiences,
> especially what hardware is needed for processing 10Gb/s of
> traffic?
>
> Ivan
--
Lubomir Pinkava, CTO
CASABLANCA INT
Vinohradska 184 / Praha 3 / PSC 130 52
Telefon: +420 270 000 218
Email: lubos.pinkava at casablanca.cz / www.casablanca.cz
More information about the cisco-nsp
mailing list