[j-nsp] recommended Netflow sampling rates?

Brian Spade bitkraft at gmail.com
Tue Sep 2 23:32:23 EDT 2008 

Are there any recommendations for a J-series?  I am not too clear on the
performance or how to monitor it when sampling from the sp-interface.

Thanks,
/b

On Mon, Sep 1, 2008 at 2:55 AM, Alexander Tarkhov <karabass at gmail.com>wrote:

> Hi Justin,
>
> In this case the AS2 PIC hardware limitation is the key.
> I think the value you report here - 150 kpps is inline with the 250
> kpps marketed for this variant of the service PIC. Your best practice
> would be either to turn off sampling on some interfaces or to change
> sampling rate to something lower than 1:1 so that you keep it at
> reasonable pps.
>
> Also be aware that you absolutely have to keep the number of flows in
> the AS2 PIC memory below 1M. If you get unusual lot of concurent flows
> in your transit traffic suddenly (you know, DDoS happens), then you
> might need to lower sampling rate further compared to the rate which
> gives your normal 150 kpps of samples.
> Just to keep the number of flows in AS2 PIC memory below the 1M limit.
> Or you can choose to lower it in advance thus loosing accuracy.
>
> You can monitor the health of the AS2 PIC using "per interface"
> counters from SNMP Services PIC MIB:
>
> http://www.juniper.net/techpubs/software/junos/junos92/swconfig-net-mgmt/mib-jnx-sp.txt
>
> Speaking about run-length option, I'm not sure if the actual rate is
> 4:100 or 5:100 in your new config. As per documentation the default
> value of run-lenght is 0:
>
> http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/run-length.html
>
> If rate 100 and run-length 0 gives 1:100.
> Then rate 100 and run-length 4 gives 5:100 I would think.
> That could be a documentation typo however.
>
> -Alex
>
> P.S. Another important fact - even when you get in trouble with
> sampling or statistics accuracy, it does not affect the forwarding of
> production traffic at all. Samples are just the copies of packet
> headers (notification cells).
>
> >
> > My border routers are a pair of M120s with Adaptive Service PIC-IIs.
> > My investivation started when I began getting high CPU alerts in the
> message
> > log on the ASPIC-II.  At peak times, the traffic rate was 550-600 Mb/s
> out
> > the sp-X/X/X interface and packet rates around 150 kpps.  That's when I
> > checked the config and saw that someone had set both routers up for 1:1
> > sampling :(
> >
> > jms
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list