May I know anyone deal with Gigamon Visibility Switch hardware that can re-generate Netflow data to AMD from SPAN port traffic?
Currently working on a POC with Gigamon, original purpose is reduce duplicate packets before feeding packets to AMD and the result is good.
However I found most of the SPAN traffic are CIFS (port 445) and it means AMD is busy to process those intra-server traffic. Since the Gigamon hardware can re-generate Netflow data, ideally if can filter out such 445 traffic to AMD for packet processing meanwhile re-generate those 445 traffic to AMD as Netflow source, it should leave AMD more resources to process packets for others software services.
Does it make sense? Any ideas or comments are welcome.
If you feed a AMD some Netflow data, then the defined Software Serviecs will be deducted from the Netflow traffic so as not to doublecount the traffic.
What leads you to believe that the CIFS decode is working hard?
Thanks for your response, Ulf.
My AMD enabled to capture "default software services", some "user-define software services" and also enabled AMD Netflow (so aggressive :P) .
I create two DMI report to compare CIFS traffic bytes of two different link : SPAN port "11.xx.xx.xx LAN" and Netflow traffic "10.xx.xx.xx Gigamon". Interestingly, DMI report Netflow traffic much more than SPAN port traffic. I didn't define any CIFS traffic as user-define software services.
Almost 80% of SPAN traffic are CIFS, and it is monitored by "default software services". So I assume the AMD NIC (OS driver level), and RTM level will be heavy loaded. Correct me if it is not the case.
I found that those CIFS traffic are double count because they're from different "link" name. That means need to filter out CIFS traffic from span port source, Gigamon can do that but with an additional cost.
AMD can't do that itself, right?
Hi - sorry for the delay.
Heavy load is always in relation to the volume as well as the nature of the traffic. If your traffic is nice and neat and keep the packet sizes at good MTU of 1500 octets your AMD can process a lot more MBPS than if the packets are small and try to push the same amount of data across the wire.
As you found, you need to keep your tounge-in-cheek when naming things.
For cost and license question I'll have to defer you to your friendly sales rep :-).
Technically, it'll work, assuming I've understood correctly. Excuse my crude ASCII drawing.
DC traffic (SPAN)
Traffic-CIFS | NetFlow (CIFS)
You'll of course need a NetFlow license for the AMD/CAS to process that data.