Looking at probably 100 networks' flow paths over the last year,
I'd say 1 or 2 have OOB for flow.
Maybe another 10-20 have interest in taking simpler time series
data of top talkers over their OOB networks, but not the flow
itself.
Agree w Roland that it can cause problems with telemetry if
there are big network misconfigs. But for folks seeing DDoS,
we implement rate-limiting of the flows/sec via local proxies
to avoid overwhelming network capacity with the flow data...
Avi
Looking at probably 100 networks' flow paths over the last year, I'd say 1 or 2 have OOB for flow.
Far fewer have it than should, agreed. A reasonable compromise is VLANs, VRFs, and so on to at least keep it out of the data-plane of the production network.
But for folks seeing DDoS, we implement rate-limiting of the flows/sec via local proxies
to avoid overwhelming network capacity with the flow data...
A lot of networks do that - they collect the flow telemetry relatively topologically near their edge routers which are exporting it, do distributed analysis (depending upon what tools they're using for collection/analysis), and then the analysis results are what's long-hauled - and this is much less than the raw flow telemetry volume.