Source AS in Netflow

Answered Question
Sep 17th, 2007
User Badges:

I have 2 BGP neighbors: AS1 and AS2. Default route for outgoing trafic is AS1. Incoming trafic I receive from AS2.

Thus, I have this scheme:

AS0 -> AS1 -> <many other AS> -> AS2 -> AS0

I'm using netflow v5 for acounting. Netflow collector is flow-tools. In netflow statistics I have src-as AS1, but trafic realy comes from AS2. How netflow defines src-as? I need to know real source AS (AS2 in this case).


My netflow config is:

ip flow-export version 5 peer-as

ip flow-export interface-names

ip flow-export destination 192.168.100.1 9996


In interfaces:

ip route-cache flow


Setting origin-as instead of peer-as has not given result.


Cisco 7206, ios: 12.4(11)T3


Correct Answer by Jan Nejman about 9 years 10 months ago

Hello,

matching by source interface is a good idea.

I don't know a configuration of flow-tools, but you can use filtering and replacement of fields if it is available in flow-tools. We are also developing netflow software (Caligare Flow Inspector), where you can use feature of replacing AS numbers. But the software is free only for non-commercial use. ;-(

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jan Nejman Tue, 09/18/2007 - 02:51
User Badges:
  • Bronze, 100 points or more

Hello,

in the netflow you cannot see real AS. In the cisco's implementation, router does the following step.

When it receives a packet, it looks in to the routing table for source IP address, it is seeing that for source address is next-hop AS1 and it'll set src-AS=AS1 in to netflow export (it doesn't matter that a packet was received from AS2). Netflow is using a local routing table, not real incoming interface/AS number!


I hope that I help you. I haven't any better solution for you. Do you have any switch between your border router and your ISP (AS2)?

If yes, you can collect netflow on this device.


Best regards,

Jan Nejman

http://www.caligarec.om


dskrjabin Tue, 09/18/2007 - 03:24
User Badges:

Thank you for your answer.

I have not cisco switch between my router and ISP. I will try to use source-interface in addition to src-as to accounting trafic.

Correct Answer
Jan Nejman Tue, 09/18/2007 - 03:41
User Badges:
  • Bronze, 100 points or more

Hello,

matching by source interface is a good idea.

I don't know a configuration of flow-tools, but you can use filtering and replacement of fields if it is available in flow-tools. We are also developing netflow software (Caligare Flow Inspector), where you can use feature of replacing AS numbers. But the software is free only for non-commercial use. ;-(

dskrjabin Tue, 09/18/2007 - 22:08
User Badges:

This method works when peer-as is set. How Cisco defines src-as when setting origin-as? I have not receive full bgp table, only my neighbors, and neighbors of my neighbors.

For example, I will know such path:

AS0 -> AS1 -> -> AS3 -> AS2 -> AS0

In config will be:

ip flow-export version 5 origin-as


What can I see in src-as? AS3, or AS1?

Jan Nejman Wed, 09/19/2007 - 03:17
User Badges:
  • Bronze, 100 points or more

Hello,

Cisco is using only the routing table for filling up the AS fields in netflow exports. So you need to configure a BGP. To see which src-AS will be filled in the netflow (for origin-as configuration) try the following command:


show ip bgp bestpath ...


I don't know what you will see, if you haven't a full BGP on your router. I guess that a Cisco will use null (or AS=0) as src-AS...


Jan


avmabe Wed, 09/19/2007 - 06:17
User Badges:
  • Bronze, 100 points or more

exporting with origin-as will populate the v5 flow record with src and dest AS.


src-as = AS where the flow came from

dst-as = AS where the flow ends


If you export with "peer-as" then it will populate the v5 flow record with src and dst AS like this:


src-as = AS where the flow came from

dst-as = AS of the next hop off your AS network.


The problem is, like indicated above, is that the router looks at his forwarding table and populates the AS based on where the router would send that traffic. If you are monkeying around with how bgp traffic flows you likely will get inaccurate information populated in the flow records.

dskrjabin Thu, 09/20/2007 - 19:09
User Badges:

I tried to set origin-as configuration. When real AS of source was unknown, src-as was set to AS1. Thus, in my opinion, cisco works as when peer-as is setting.

Thanks for help! :)

Actions

This Discussion