On 05/08/15 16:07, Ryan Harden wrote:
> Phil,
>
> I agree wholeheartedly. However, due to the nature of what we’re trying to 
> capture, optical taps prove to be cost prohibitive.
> In our scenario, we would require roughly 1600 taps and another 1600 “TapAgg” 
> ports to collect them.
>
> Using SPANs we would require only 155 ports. One for each campus building 
> aggregation device.

Fair enough, but obviously you'll be contending those SPAN ports at ~ 
10:1, given those numbers, so I think your security teams concern about 
missing flows is entirely justified - regardless of what flow generation 
tool you use, it can't generate flows for traffic it doesn't see because 
the SPAN port drops during e.g. a microburst.

But you know your own architecture, and if SPAN ports are suitable, fine.

FWIW:

I've used softflowd on a farm of busy recursive DNS resolver(s) before, 
and it kept up just fine but did need a lot of RAM.

A while back - >5 years - we did try using an optical tap directed at a 
fast server running softflowd to do our border netflow. It 
comprehensively did NOT keep up - a lot of dropped flows, very busy box, 
and of course lost metadata like the BGP next-hop, AS numbers, etc.

It's really going to depend on your traffic profile.

Cheers,
Phil

------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to