cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Gigamon split traffic to AMD packet and AMD Netflow

sylvian_lam1
Organizer

Hi,

May I know anyone deal with Gigamon Visibility Switch hardware that can re-generate Netflow data to AMD from SPAN port traffic?

Currently working on a POC with Gigamon, original purpose is reduce duplicate packets before feeding packets to AMD and the result is good.

However I found most of the SPAN traffic are CIFS (port 445) and it means AMD is busy to process those intra-server traffic. Since the Gigamon hardware can re-generate Netflow data, ideally if can filter out such 445 traffic to AMD for packet processing meanwhile re-generate those 445 traffic to AMD as Netflow source, it should leave AMD more resources to process packets for others software services.

Does it make sense? Any ideas or comments are welcome.

Thanks.

Sylvian

8 REPLIES 8

ulf_thornander3
Inactive

If you feed a AMD some Netflow data, then the defined Software Serviecs will be deducted from the Netflow traffic so as not to doublecount the traffic.

What leads you to believe that the CIFS decode is working hard?

Thanks for your response, Ulf.

My AMD enabled to capture "default software services", some "user-define software services" and also enabled AMD Netflow (so aggressive :P) .

I create two DMI report to compare CIFS traffic bytes of two different link : SPAN port "11.xx.xx.xx LAN" and Netflow traffic "10.xx.xx.xx Gigamon". Interestingly, DMI report Netflow traffic much more than SPAN port traffic. I didn't define any CIFS traffic as user-define software services.

Almost 80% of SPAN traffic are CIFS, and it is monitored by "default software services". So I assume the AMD NIC (OS driver level), and RTM level will be heavy loaded. Correct me if it is not the case.

Thx

sylvian_lam1
Organizer

Hi,

Some updates.

I found that those CIFS traffic are double count because they're from different "link" name. That means need to filter out CIFS traffic from span port source, Gigamon can do that but with an additional cost.

AMD can't do that itself, right?

sylvian_lam1
Organizer

One more query in mind, do I need to purchase Netflow license if I use the existing AMD for both SPAN and Flow Collector?

ulf_thornander3
Inactive

Hi - sorry for the delay.

Heavy load is always in relation to the volume as well as the nature of the traffic. If your traffic is nice and neat and keep the packet sizes at good MTU of 1500 octets your AMD can process a lot more MBPS than if the packets are small and try to push the same amount of data across the wire.

As you found, you need to keep your tounge-in-cheek when naming things.

For cost and license question I'll have to defer you to your friendly sales rep :-).

sylvian_lam1
Organizer

hahaha, thanks. Ulf.

chris_v
Dynatrace Pro
Dynatrace Pro

Technically, it'll work, assuming I've understood correctly. Excuse my crude ASCII drawing.

           DC traffic (SPAN)
\/
Gigamon
\/ \/
Traffic-CIFS | NetFlow (CIFS)
\/ \/
AMD

You'll of course need a NetFlow license for the AMD/CAS to process that data.

sylvian_lam1
Organizer

yes, Chris. Gigamon can do the trick but AMD will count double traffic bytes if both SPAN and Netflow data comes to a single AMD, it increase the loading of AMD as well.