DDOS, IDS, RTBH, and Rate limiting
freedman at freedman.net
Sat Nov 22 15:49:32 UTC 2014
> > On the contrary - SPAN nee port mirroring cuts into the
> > frames-per-second budget of linecards, as the traffic is in essence
> > being duplicated. It is not 'free', and it has a profound impact on
> > the the switch's data-plane traffic forwarding capacity.
> > Unlike NetFlow.
> In hosting case mirroring usually done for uplink port, but i have to
> agree, it might be a problem.
Have you seen any issues with SPANning? We usually advise something like
a $1k netoptis tap or to be cheaper there are actually $50 fiber cables
with 30/70 taps embedded (so two such, one for RX tap and one for TX tap).
Of course, that only grabs a single 10gig whereas with SPAN you can
potentially do more - but the issues we've seen across vendors is that
if you try to send more traffic into a SPAN port than its size, bad
things can happen. Head of line blocking, random congestion, and other
And you trade off potential catastrophic downtime for SPAN-related
network destabilization, for guaranteed downtime to bring links down
to tap them.
> "Major" expenses - tuning server according author recommendations, and
> writing shell script that will send to 4948 command to blackhope IP. For
> qualified sysadmin it is 2 hours of work, and $500 max as a "labor"
> cost. Thats it. What can be cheaper than $2000 in this case? I guess i
> wont get answer.
I think the issue is not with your providing the info about fastnetmon,
its genesis, and what you see as the great use cases for it - more around
the statements on flow as an unusable source of data for various purposes.
Things seem to have died down around that though, which is good :)
> Best regards,
Avi Freedman | Your flow has something to show you; can you see it? |
CEO, CloudHelix | (avi at cloudhelix dot com) | my name one word on skype |
More information about the NANOG