[j-nsp] clarification of enabling sample
Stefan Fouant
sfouant at gmail.com
Sat Oct 25 21:53:48 EDT 2008
On Sat, Oct 25, 2008 at 9:38 PM, Brian Spade <bitkraft at gmail.com> wrote:
> Docs show to create a firewall filter for sampling, i.e.:
>
> firewall {
> family inet filter catch_all term default then {
> sample; accept; }}
>
> I have enabled sampling directly on the interface without using a firewall
> filter. Everything works fine.
>
> ge-3/1/0 {
> unit 0 {
> family inet {
> sampling {
> input;
> output;
> }
> address 10.100.20.3/30;
> }
> }
> }
>
> Do you really need this firewall filter? What is the difference of just
> enabling sample on the interface?
>
> /b
For all intents and purposes there are no practical differences
between the two methods you have proposed, since your firewall filter
term is essentially a match all... The main difference is when you
want to sample a subset of the traffic traversing a given interface.
This is when matching on particular flows using a firewall filter
comes in handy. If you have a particularly large amount of traffic
traversing your interfaces and you don't have a requirement to sample
all traffic, sampling via the use of firewall filters will also allow
you to have more fine-grained control over your AS-PIC/MS-PIC/etc.
resources.
--
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
More information about the juniper-nsp
mailing list