I'm trying to understand how to better use the analytics stuff ...
I have several question,
and maybe some ideas ...
first of all: APP Telemetry
I see that everything seems to work thanks to:
- a quite big policy on the switch
- the remote EAN mirror
with a costumer, I would like to have as much information as possible with a specific traffic ...
what I did till now is:
- I decreased the sflow sampling rate to the minimum of 256 on ports where I know there are the "interesting devices"
- I modified the telemetry.pol, to mirror to the "EAN mirror" ALL the traffic "from and to" those devices
am I moving in the right direction,
or I'm doing it in a completely wrong way?
if I mirror a lot of traffic to the "EAN mirror", this will increase the amount of information that the analytics software can get from the traffic, or is it completely useless (like ... the analytics software can handle only specific traffic signatures, and NOTHING out of that ... )
second: network response time vs application response time
I see I don't have those values for ALL the flows I have ... why?
I mean ... I suppose part of the "problem" is related to sflow sampling rate ...
but what else?
can I have those values for both UDP and TCP traffic?
third: core2 probe
I know that using a core2 probe, with all mirrored traffic,
I can have a lot of information about network traffic ...
is there any way to have a similar amount of information,
without the use of a core2 probe?
(I mean, also considering what I said in the previous "points")
What I don't understand is "WHY I always need a Core2 physical probe" ...
I can understand it because of "huge amount" of traffic,
but IF I need more infos about a very specific flow, or a very specific traffic,
why I can't have a "software" that is directly on the Analytics VM that can analyze that traffic ...
moreover now I have the GRE tunnel option, that is "super usefull"!! ...
please let me know what you thing