Hi Sune, Sorry for our late reply but we had a long weekend here in Spain.
Ok, if you just want NetFlow or sFlow accounting the best option is surelly to configure such feature in your edge switches or routers and use pmacctd. In respect to other alternatives, I would defend a different one :) If you plan on using iptables to secure those links, there is an option that will allow you to not have a single point of failure: either put a couple of boxes in HA or use LAN Bypass cards. In that sense we have quite experience providing such solution, including the possibility to other features like IDS/IPS, AV, AS,... with hardware acceleration (performance over Gbps). In respect to Linux NetFlow Probes, we use nprobe and hope to replace it in the near future with pmacct. As others have recommended you should use mmaped version at least, and if possible PF_Ring (this second harder to set up and seems a little buggy lately). Of course, we also have our own commercial solutions for this, but hey, this is not the place to do publicity :))) Regards -------------------------------------------- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Pol. PISA - C/ Manufactura 6, P1, 3B Mairena del Aljarafe - 41927 - Sevilla Telf.- (+34) 955 60 11 60 / 619 04 55 18 ----- Sune <[EMAIL PROTECTED]> wrote: > Hi Paolo, > > Thanks to you too for a detailed reply. > > > c) If it's an option, use native port mirroring or > > NetFlow/sFlow solutions > > available straight on your routers and switches. > Yes, I think we're going to go with this solution. > > > Searching through the archives of the list, you will find > > some useful answers to your question. Most depends on the > > packet/flow rate produced by your network infrastructure - > > but IHMO with such a rocket you should be definitely ok. > Alright, thanks, I am surprised that the dual core system is even > defined as > a rocket :) Is it overkill? Should I go with a P4 3Ghz instead? I > tried > searching the archives without much luck, but then again as you point > out, > it depends on the current packet flow (which we haven't really got > any > statistics of). > > > You can also have an alternative approach - which is known to > > pay in terms of overral performances. Instead of summarizing, > > you can run two different MySQL plugins, ie. getting the same > > traffic and aggregating the same way, but using different > > time resolutions, one on the 5 mins (sql_history: 5m) and the > > other on the day (sql_history: 1d) resolution. What remains > > to do is just to delete old rows - an inexpensive operation. > > The cost is the use of a slightly more disk slice, which in > > turn should not be a great issue. > After reading yours and Jakub's suggestions, I'll try consider which > approach would be the best for the MySQL part. I can see that pmacct > offers > a lot of flexibility on this point. > > > I'd say that pmacct has been written to cope precisely with > > such needs, not only yours but also shared by many providers > > around the world. > Sounds good - the prompt and thorough replies I received to my > questions > definately encourages me to use and support this project. Great work > guys! > > -- > Best regards, > Sune > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
