Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: Cisco: NSP netflow not recording correct origin-as   Index | Next | Previous | View Flat

spork at bway Jun 13, 2012, 9:28 PM Views: 369 Permalink netflow not recording correct origin-as It's been a very long time since I touched netflow, but I recently installed FlowViewer since I wanted to grab some stats (we collect netflow data, but don't do much with it) since we are transit shopping. Thought it would be interesting to see, for example how much traffic ends up somewhere like cogent to see if it's worth throwing them in the mix. After digging up from FlowViewer to "sh ip cache verbose flow", I'm starting to think either I totally misunderstood how this works or there's something wonky with IOS. We have our own AS and we have transit to HE.net and Level3. If I run any report in flow-tools or flowviewer that shows source/destination AS counts, it shows about 99% of my traffic with a source or destination AS of 3356. This is obviously not true - traffic graphs show that we run about 2/3 inbound from HE. When I look at the src/dst AS in "sh ip cache verbose flow", I see the same thing. Here's a single line showing what I believe is incorrect AS info: SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Fa2/0 86.21.123.0 AT3/0.2535 216.220.114.xxx 06 00 02 2 E055 /0 3356 2D3D /32 0 216.220.114.xxx 52 2.9 That's a flow from 86.21.123.0 which is AS 5089 to one of our customers. Fa2/0 is HE.net. So not only is this flow not sourced from AS3356, it's not even coming in via our transit link to 3356. This seems totally wrong. I'm on a 7206 w/an NPE-G2. IOS 12.4(24)T6. Both transit links have "ip flow ingress" and "ip flow egress". I also started with just ingress on those interfaces as well as an ATM OC-3 interface and another GigE port, but the ATM interface did not seem to be grabbing flows from the subinterfaces. My AS problem is the same with either configuration. My export config is this: ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-export destination 216.220.107.41 9800 ip flow-top-talkers top 40 sort-by packets Am I doing something obviously wrong here? Thanks, Charles -- Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet www.bway.net spork [at] bway - 212.655.9344 _______________________________________________ cisco-nsp mailing list cisco-nsp [at] puck https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/

Subject User Time netflow not recording correct origin-as spork at bway Jun 13, 2012, 9:28 PM     Re: netflow not recording correct origin-as gert at greenie Jun 14, 2012, 1:16 AM         Re: netflow not recording correct origin-as spork at bway Jun 14, 2012, 1:47 AM             Re: netflow not recording correct origin-as gert at greenie Jun 14, 2012, 2:01 AM

Index | Next | Previous | View Flat   Cisco     BBA     NAS     NSP     uBR     VOIP

Interested in having your list archived? Contact Gossamer Threads
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.