NetFlow - path from Routers to Collector

Roland Dobbins rdobbins at arbor.net
Wed Sep 2 00:56:16 UTC 2015


On 2 Sep 2015, at 7:38, jim deleskie wrote:

> These networks survived many "large" DDoS attacks and far more fat 
> finger incidents then I like to think
> about.

What I'm saying is that keeping flow telemetry and other 
management-plane traffic from mixing with customer data-plane traffic is 
important in order to ensure visibility and control during a significant 
network-impacting event.

I've personally been involved in assisting multiple operators in 
multiple incidents in which either DDoS attack traffic or inadvertent 
routing redistribution excursions led to loss of visibility and control, 
resulting in unnecessarily-long times to resolution.

Virtual separation is generally Good Enough, and what we see with 
customers who run it all in-band is an increasing number who're taking 
steps to achieve at least virtual separation (~20%, as Avi noted, is 
about what we see implemented, currently).  It isn't nearly as many as 
we would like to see, and it isn't happening as fast as we'd like to see 
it, but we encourage it wherever we can.

The OP on this thread was essentially asking about the best approach.  
OOB, whether virtual or physical, is the best approach.  Economic 
factors may militate against this, at least initially, but a disaster or 
two can change that economic analysis.

I also suspect that increasing use of 'SDN'-type (apologies for using 
that overused acronym!) orchestration across the entire network topology 
(e.g., not just within the IDC) is going to lead to more separation of 
management-plane traffic from customer data-plane traffic, as the 
implications sink in.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list