[c-nsp] Sup2T netflow problems

Dobbins, Roland rdobbins at arbor.net
Wed Feb 5 07:44:56 EST 2014

On Feb 5, 2014, at 7:34 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> If that's the case, do please spell them out.

Real sampling, thereby avoiding mls table overflow, with the resultant nondeterministic skew of statistics; seeing stats on dropped traffic; getting TCP flags so as to classify things like SYN-floods; and so forth.

Things pre-EARL8 Sups/DFCs simply didn't support, but which are vital for even the most basic traffic engineering, peering analysis, and troubleshooting purposes, much less security.

NetFlow on pre-EARL8 Sups/DFCs was a disaster; many folks who thought they were getting accurate statistics weren't due to mls table overflow, and all the above caveats regarding basic functionality really made it not very useful.

I can't tell you the number of folks I've talked to for the last 13 years or so who thought their own NetFlow stats were fine from EARL6 and EARL7, until they realized they weren't getting what they thought they were getting, and they couldn't even trust that due to mls table overflow.  I'm glad you were happy with EARL7 NetFlow, but that's a minority view, in my experience (both when I worked for Cisco and afterwards).

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the cisco-nsp mailing list