cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2668
Views
5
Helpful
7
Replies

Source AS in Netflow

dskrjabin
Level 1
Level 1

I have 2 BGP neighbors: AS1 and AS2. Default route for outgoing trafic is AS1. Incoming trafic I receive from AS2.

Thus, I have this scheme:

AS0 -> AS1 -> <many other AS> -> AS2 -> AS0

I'm using netflow v5 for acounting. Netflow collector is flow-tools. In netflow statistics I have src-as AS1, but trafic realy comes from AS2. How netflow defines src-as? I need to know real source AS (AS2 in this case).

My netflow config is:

ip flow-export version 5 peer-as

ip flow-export interface-names

ip flow-export destination 192.168.100.1 9996

In interfaces:

ip route-cache flow

Setting origin-as instead of peer-as has not given result.

Cisco 7206, ios: 12.4(11)T3

1 Accepted Solution

Accepted Solutions

Hello,

matching by source interface is a good idea.

I don't know a configuration of flow-tools, but you can use filtering and replacement of fields if it is available in flow-tools. We are also developing netflow software (Caligare Flow Inspector), where you can use feature of replacing AS numbers. But the software is free only for non-commercial use. ;-(

View solution in original post

7 Replies 7

Jan Nejman
Level 3
Level 3

Hello,

in the netflow you cannot see real AS. In the cisco's implementation, router does the following step.

When it receives a packet, it looks in to the routing table for source IP address, it is seeing that for source address is next-hop AS1 and it'll set src-AS=AS1 in to netflow export (it doesn't matter that a packet was received from AS2). Netflow is using a local routing table, not real incoming interface/AS number!

I hope that I help you. I haven't any better solution for you. Do you have any switch between your border router and your ISP (AS2)?

If yes, you can collect netflow on this device.

Best regards,

Jan Nejman

http://www.caligarec.om

Thank you for your answer.

I have not cisco switch between my router and ISP. I will try to use source-interface in addition to src-as to accounting trafic.

Hello,

matching by source interface is a good idea.

I don't know a configuration of flow-tools, but you can use filtering and replacement of fields if it is available in flow-tools. We are also developing netflow software (Caligare Flow Inspector), where you can use feature of replacing AS numbers. But the software is free only for non-commercial use. ;-(

This method works when peer-as is set. How Cisco defines src-as when setting origin-as? I have not receive full bgp table, only my neighbors, and neighbors of my neighbors.

For example, I will know such path:

AS0 -> AS1 -> -> AS3 -> AS2 -> AS0

In config will be:

ip flow-export version 5 origin-as

What can I see in src-as? AS3, or AS1?

Hello,

Cisco is using only the routing table for filling up the AS fields in netflow exports. So you need to configure a BGP. To see which src-AS will be filled in the netflow (for origin-as configuration) try the following command:

show ip bgp bestpath ...

I don't know what you will see, if you haven't a full BGP on your router. I guess that a Cisco will use null (or AS=0) as src-AS...

Jan

exporting with origin-as will populate the v5 flow record with src and dest AS.

src-as = AS where the flow came from

dst-as = AS where the flow ends

If you export with "peer-as" then it will populate the v5 flow record with src and dst AS like this:

src-as = AS where the flow came from

dst-as = AS of the next hop off your AS network.

The problem is, like indicated above, is that the router looks at his forwarding table and populates the AS based on where the router would send that traffic. If you are monkeying around with how bgp traffic flows you likely will get inaccurate information populated in the flow records.

I tried to set origin-as configuration. When real AS of source was unknown, src-as was set to AS1. Thus, in my opinion, cisco works as when peer-as is setting.

Thanks for help! :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: