[j-nsp] Recommended sampling rates on MS-500 pic

Stefan Fouant sfouant at shortestpathfirst.net
Mon Jun 21 04:28:28 EDT 2010


There are no universal rules which apply to sampling.  Obviously the more
packets you can capture during a given sample, the better.  Determining your
sampling rate depends on a lot of variables.  You should start by looking at
the intended application for deployment of sampling.  For DDoS alerting, as
little as 1:100 or even in some cases 1:1000 can be enough due to the higher
probabilities of capturing a known malicious packet within the overall
sample.  If you need visibility on all network traffic, especially
short-lived flows, then you are going to need to reduce your sampling rate
quite to something as close to 1:1 as possible.  

Ideally, you can optimize the sampling rate based on an analysis of the
existing flow rates in your network - this of course might be impossible
given the fact that this is the reason you are deploying a monitoring
application in the first place.  There are design considerations that will
also allow you to scale your sampling application to support higher numbers
than might otherwise be possible - for example, limiting your firewall
filters to monitor only that which is relevant to the sampling application
is a common technique.

Ultimately, you should take a look at the datasheet for the hardware you
intend on deploying and compare that to what you expect to see on your
network.  I have personally observed 1:1 sampling in several production
networks where monitoring hardware (AS-PIC, MS-PIC, etc.) was used  with no
performance degradation.  I've also seen 1:100 sampling on an M7 without the
ASM and this worked fine as well with little increase in CPU on the RE.

HTHs.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of tim tiriche
> Sent: Sunday, June 20, 2010 8:23 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Recommended sampling rates on MS-500 pic
> 
> Hello,
> 
> I would like to know what is the recommended sampling rates to use on a
> network and what can the juniper support.
> In addition, what factors determine what sampling rate to use.
> 
> Thanks you!
> 
> --tim
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list