Re: [j-nsp] Recommended sampling rates on MS-500 pic

[Doan Nguyen]

Tim,

the difference between sampling with the PIC vs. using the RE is that with the 
PIC
the router sends the entire packet to the pic vs. the IP header.  With this 
bandwidth
to the PIC is probably more of the limiting factor for your sampling rate.  
With the RE
you do not have the bandwidth issue but processor utilization to worry about.  

I believe the MS500 is rated at OC48 speed so depending on packet size you will 
hit
bandwidth limitation first before you will packet per second.

--- On Sat, 6/19/10, tim tiriche tim.tiri...@gmail.com wrote:

From: tim tiriche tim.tiri...@gmail.com
Subject: [j-nsp] Recommended sampling rates on MS-500 pic
To: juniper-nsp@puck.nether.net
Date: Saturday, June 19, 2010, 9:33 AM

Hello,

I would like to know what is the recommended sampling rates to use on
a network and what can the juniper support.
In addition, what factors determine what sampling rate to use.

Thanks you!

--tim
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Recommended sampling rates on MS-500 pic

[Stefan Fouant]

There are no universal rules which apply to sampling.  Obviously the more
packets you can capture during a given sample, the better.  Determining your
sampling rate depends on a lot of variables.  You should start by looking at
the intended application for deployment of sampling.  For DDoS alerting, as
little as 1:100 or even in some cases 1:1000 can be enough due to the higher
probabilities of capturing a known malicious packet within the overall
sample.  If you need visibility on all network traffic, especially
short-lived flows, then you are going to need to reduce your sampling rate
quite to something as close to 1:1 as possible.  

Ideally, you can optimize the sampling rate based on an analysis of the
existing flow rates in your network - this of course might be impossible
given the fact that this is the reason you are deploying a monitoring
application in the first place.  There are design considerations that will
also allow you to scale your sampling application to support higher numbers
than might otherwise be possible - for example, limiting your firewall
filters to monitor only that which is relevant to the sampling application
is a common technique.

Ultimately, you should take a look at the datasheet for the hardware you
intend on deploying and compare that to what you expect to see on your
network.  I have personally observed 1:1 sampling in several production
networks where monitoring hardware (AS-PIC, MS-PIC, etc.) was used  with no
performance degradation.  I've also seen 1:100 sampling on an M7 without the
ASM and this worked fine as well with little increase in CPU on the RE.

HTHs.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

 -Original Message-
 From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
 boun...@puck.nether.net] On Behalf Of tim tiriche
 Sent: Sunday, June 20, 2010 8:23 AM
 To: juniper-nsp@puck.nether.net
 Subject: [j-nsp] Recommended sampling rates on MS-500 pic
 
 Hello,
 
 I would like to know what is the recommended sampling rates to use on a
 network and what can the juniper support.
 In addition, what factors determine what sampling rate to use.
 
 Thanks you!
 
 --tim
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Recommended sampling rates on MS-500 pic

[tim tiriche]

Hello,

I would like to know what is the recommended sampling rates to use on
a network and what can the juniper support.
In addition, what factors determine what sampling rate to use.

Thanks you!

--tim
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Recommended sampling rates on MS-500 pic

[tim tiriche]

Hello,

I would like to know what is the recommended sampling rates to use on
a network and what can the juniper support.
In addition, what factors determine what sampling rate to use.

Thanks you!

--tim
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp