NetFlow - path from Routers to Collector
Roland Dobbins
rdobbins at arbor.net
Tue Sep 1 23:22:34 UTC 2015
On 2 Sep 2015, at 0:44, Jared Mauch wrote:
> I think the key here is that Roland isn't often constrained by these
> financial considerations.
That's entirely true. I deal every day with customers who are, though.
> I would respectfully disagree with Roland here and agree with Job,
> Niels, etc.
I understand where you and they are coming from, in this regard. I just
disagree, as well.
> A few networks have robust out of band networks, but most I've seen
> have an interesting mixture of things
Concur 100%.
> and inband is usually the best method.
Let me be clear - OOB for flow telemetry can be actually provisioned on
the same boxes which are handling the production network traffic. It
isn't ideal, but it's better than running it truly inband in the
production network, mixed in with customer traffic. VLANs, VRFs,
whatever are a reasonable compromise, and a lot of folks do this.
Inband is a huge risk, especially in a world of multi-hundred gb/sec
reflection/amplification attacks (not to mention the other catastrophic
failure scenarios). I know you sink a lot of UDP at the edges of your
network to ameliorate this problem, but not all operators do that or
agree with it either in principle or as a matter of optimal utility. I
understand that this sort of thing is a decision that all network
operators must make for themselves based upon their knowledge of their
own networks and customer needs.
> Those that do have "seperate" networks may actually be CoC services
> from another deparment in the same company riding the same P/PE
> devices (sometimes routers).
Yes, that's what I'm getting at above. It isn't ideal, but there's no
reason to make the perfect the enemy of the merely good, agreed.
> I've seen oob networks on DSL, datacenter wifi or cable swaps through
> the fence to an adjacent rack.
Absolutely. All kinds of creative lashups to get console access in
difficult situations (and, as you noted previously, an increasing number
of devices don't support serial console at all, which is highly
annoying).
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG
mailing list