[j-nsp] recommended Netflow sampling rates?

Alexander Tarkhov karabass at gmail.com
Mon Sep 1 05:55:30 EDT 2008


Hi Justin,

In this case the AS2 PIC hardware limitation is the key.
I think the value you report here - 150 kpps is inline with the 250
kpps marketed for this variant of the service PIC. Your best practice
would be either to turn off sampling on some interfaces or to change
sampling rate to something lower than 1:1 so that you keep it at
reasonable pps.

Also be aware that you absolutely have to keep the number of flows in
the AS2 PIC memory below 1M. If you get unusual lot of concurent flows
in your transit traffic suddenly (you know, DDoS happens), then you
might need to lower sampling rate further compared to the rate which
gives your normal 150 kpps of samples.
Just to keep the number of flows in AS2 PIC memory below the 1M limit.
Or you can choose to lower it in advance thus loosing accuracy.

You can monitor the health of the AS2 PIC using "per interface"
counters from SNMP Services PIC MIB:
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-net-mgmt/mib-jnx-sp.txt

Speaking about run-length option, I'm not sure if the actual rate is
4:100 or 5:100 in your new config. As per documentation the default
value of run-lenght is 0:
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/run-length.html

If rate 100 and run-length 0 gives 1:100.
Then rate 100 and run-length 4 gives 5:100 I would think.
That could be a documentation typo however.

-Alex

P.S. Another important fact - even when you get in trouble with
sampling or statistics accuracy, it does not affect the forwarding of
production traffic at all. Samples are just the copies of packet
headers (notification cells).

>
> My border routers are a pair of M120s with Adaptive Service PIC-IIs.
> My investivation started when I began getting high CPU alerts in the message
> log on the ASPIC-II.  At peak times, the traffic rate was 550-600 Mb/s out
> the sp-X/X/X interface and packet rates around 150 kpps.  That's when I
> checked the config and saw that someone had set both routers up for 1:1
> sampling :(
>
> jms
>


More information about the juniper-nsp mailing list