DDOS, IDS, RTBH, and Rate limiting

> On the contrary - SPAN nee port mirroring cuts into the
> frames-per-second budget of linecards, as the traffic is in essence
> being duplicated. It is not 'free', and it has a profound impact on
> the the switch's data-plane traffic forwarding capacity.
> Unlike NetFlow.

In hosting case mirroring usually done for uplink port, but i have to
agree, it might be a problem.

Have you seen any issues with SPANning? We usually advise something like
a $1k netoptis tap or to be cheaper there are actually $50 fiber cables
with 30/70 taps embedded (so two such, one for RX tap and one for TX tap).

Of course, that only grabs a single 10gig whereas with SPAN you can
potentially do more - but the issues we've seen across vendors is that
if you try to send more traffic into a SPAN port than its size, bad
things can happen. Head of line blocking, random congestion, and other
strange failures.

And you trade off potential catastrophic downtime for SPAN-related
network destabilization, for guaranteed downtime to bring links down
to tap them.

"Major" expenses - tuning server according author recommendations, and
writing shell script that will send to 4948 command to blackhope IP. For
qualified sysadmin it is 2 hours of work, and $500 max as a "labor"
cost. Thats it. What can be cheaper than $2000 in this case? I guess i
wont get answer.

I think the issue is not with your providing the info about fastnetmon,
its genesis, and what you see as the great use cases for it - more around
the statements on flow as an unusable source of data for various purposes.

Things seem to have died down around that though, which is good :slight_smile:

Best regards,

Avi Freedman | Your flow has something to show you; can you see it? |
CEO, CloudHelix | (avi at cloudhelix dot com) | my name one word on skype |