flow analysis for juniper devices

Sun Nov 14 17:32:10 UTC 2010

On Sun, Nov 14, 2010 at 08:59:33AM +0000, Paolo Lucente wrote:
> On Sat, Nov 13, 2010 at 09:17:55PM -0600, Richard A Steenbergen wrote:
> 
> > Oh and the sFlow on EX is actually pretty cripled when used for routing. 
> > It's missing support for a bunch of important extended message tpes, and 
> > doesn't fully populate all of the fields of the message types it does 
> > send. For example you won't get any data on ASNs, nexthops, dest 
> > ifindexes, or even netmasks of the src/dst route the flow matched, 
> > making it pretty darn useless for a lot of tasks. It's functional if 
> > you're just analyzing L2 networks at any rate.
> 
> Agree people spend some money and hence tend to expect something in
> return. But it's also true those good souls developing free collectors
> (to stay in topic with the OP) sometimes come to the rescue: ASNs, BGP
> next-hop, routes, netmasks can be all looked up at the collector at
> pretty no major effort. Variety of methods available depending on the
> collector, in place or a posteriori, file or BGP lookup - it's matter
> of selecting what fits better the specific job.

Yes you can do an offline routing lookup to try and reconstruct some 
missing data (or do some even more interesting analysis, as described in 
http://www.nanog.org/meetings/nanog35/presentations/steenbergen.pdf), 
but it isn't always a practical solution to missing netmask, nexthop, 
and dest ifindex data.

Remember that every RIB in your network can and will have a unique best 
path selection (thanks to the EBGP > IBGP rule if nothing else), and if 
you have a network of any size at all you'll probably have to deal with 
multiple exits to the same network. Even if you were only concerned with 
analyzing external traffic, you'd still need to collect a RIB per edge 
router using an IBGP feed. In my network this would put you well over 10 
million paths, and consume several gigs of ram, not to mention the load 
of doing the routing lookups themselves. If you wanted to do traffic 
analysis inside your network you'd need a feed from every router, and 
maybe even active participation in your IGP. It CAN be done, but it's 
not pretty, and I don't think any existing free software has been tested 
under these kinds of conditions.

So when a vendor says "we support sFlow", make sure they actually 
support the message types and fields you need. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)