Hi Mario, Wrt the balancing algorithm & templates. Definitely the round-robin balancing algorithm is suitable only for - pass me the term - non- contextual protocols/protocol versions (ie. sFlow and NetFlow v5); NetFlow v9/IPFIX, which are template-based, require the 'hash-agent' one where the IP address of the NetFlow v9/IPFIX sender is hashed over the pool of destinations so to ensure template/data records are always making together to the same destination (precisely for the issue you describe). Alternative to balancing is selective teeing, ie. select which source to replicate to which destination (using a tag mechanism) - which makes things more controllable especially in rapidly expanding scenarios.
Cheers, Paolo On Wed, Feb 10, 2016 at 11:19:42AM +0000, Jentsch, Mario wrote: > Hi Pau, > > it depends on the Netflow version. With versions that use templates it may be > the easiest way to ignore the data at the end points that is ???too much???. > The problem is that without the templates the receiver can???t process the > data. > > For versions without templates have a look at the ???balance-alg??? option in > the tee_receivers.lst example. You may send some data into ???blackhole > destinations??? to get rid of it. > > I don???t know how Paolo handles balancing for packets that contain Template > FlowSet(s) ??? if they are forwarded to all pool destinations or not ??? > didn???t test this myself or checked the code trying to find out. In case the > templates are forwarded to all destinations in exception to the balancing > method, it looks like you can use it for Netflow v9 etc too. > > Regards, > Mario > > From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] On > Behalf Of KA PDE > Sent: Monday, February 08, 2016 3:28 PM > To: pmacct-discussion@pmacct.net > Subject: [pmacct-discussion] Question about teeing and sampling > > Hi all, > > I've recently discovered pmacct and I'm evaluating it to forward netflow data > for security purposes to a set of collectors, some of them requiring less > amount of data sent. > > I have a simple configuration using the tee plugin. I've managed to send flow > information to NFsen but I'm unable to find a way of sampling to the other > destination.Is this achievable with pmacct? > > ! nfacctd configuration > ! > ! > ! > daemonize: true > pidfile: /var/run/nfacctd.pid > syslog: daemon > > nfacctd_port: 9996 > nfacctd_ip: 88.22.33.99 > plugin_pipe_size: 10240000 > plugin_buffer_size: 10240 > > plugins: tee[nfsen], tee[pmacct] > tee_receiver[nfsen]: 127.0.0.1:9995<http://127.0.0.1:9995> > tee_receiver[pmacct]: 127.0.0.1:9999<http://127.0.0.1:9999> > ! sampling_rate[pmacct]: 4096 > tee_transparent: true > > Thanks in advance and best regards, > > Pau > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
