On 05/08/15 16:07, Ryan Harden wrote: > Phil, > > I agree wholeheartedly. However, due to the nature of what we’re trying to > capture, optical taps prove to be cost prohibitive. > In our scenario, we would require roughly 1600 taps and another 1600 “TapAgg” > ports to collect them. > > Using SPANs we would require only 155 ports. One for each campus building > aggregation device.
Fair enough, but obviously you'll be contending those SPAN ports at ~ 10:1, given those numbers, so I think your security teams concern about missing flows is entirely justified - regardless of what flow generation tool you use, it can't generate flows for traffic it doesn't see because the SPAN port drops during e.g. a microburst. But you know your own architecture, and if SPAN ports are suitable, fine. FWIW: I've used softflowd on a farm of busy recursive DNS resolver(s) before, and it kept up just fine but did need a lot of RAM. A while back - >5 years - we did try using an optical tap directed at a fast server running softflowd to do our border netflow. It comprehensively did NOT keep up - a lot of dropped flows, very busy box, and of course lost metadata like the BGP next-hop, AS numbers, etc. It's really going to depend on your traffic profile. Cheers, Phil ------------------------------------------------------------------------------ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss