[Bro] Bro with 10Gb NIC's or higher

Li, Yee Ting ytl at slac.stanford.edu
Fri Jan 9 13:44:18 PST 2015


i concur with Aashish; the biggest help is the shunting of large flows (and possibly encrypted flows).

we have a Cisco Nexus 3172 (6x40gbps + 48x10gbps copper) load balancing to 6 x Dell 620s (E5-2695 v2 @ 2.40GHz x 24); each with Intel X540-AT2’s (2x10gbp copper) running  20 workers each (with pfring/dna)… sustaining about 5gbps… and we still see packet loss >5% on some workers due to the elephant flows in our environment.


> On 9 Jan 2015, at 12:26, Aashish Sharma <asharma at lbl.gov> wrote:
> What saves us is the shunting capability - basically bro identifies and cuts off the rest of the big flows by placing a src,src port - dst, dst-port ACL on arista while continuing to allow control packets (and dynamically removes ACL once connection_ends) 

More information about the Bro mailing list