On Feb 5, 2014, at 7:34 PM, Phil Mayers <[email protected]> wrote:
> If that's the case, do please spell them out. Real sampling, thereby avoiding mls table overflow, with the resultant nondeterministic skew of statistics; seeing stats on dropped traffic; getting TCP flags so as to classify things like SYN-floods; and so forth. Things pre-EARL8 Sups/DFCs simply didn't support, but which are vital for even the most basic traffic engineering, peering analysis, and troubleshooting purposes, much less security. NetFlow on pre-EARL8 Sups/DFCs was a disaster; many folks who thought they were getting accurate statistics weren't due to mls table overflow, and all the above caveats regarding basic functionality really made it not very useful. I can't tell you the number of folks I've talked to for the last 13 years or so who thought their own NetFlow stats were fine from EARL6 and EARL7, until they realized they weren't getting what they thought they were getting, and they couldn't even trust that due to mls table overflow. I'm glad you were happy with EARL7 NetFlow, but that's a minority view, in my experience (both when I worked for Cisco and afterwards). ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
