[flow-tools] final destination ASN export

Mark Turpin mark-flowtools@gomez.charter.com
Thu, 23 May 2002 09:34:54 -0500 

Well, this was touched on last year slightly, however the individual in the
archives was looking for full AS path information.  I am interested in the
final destination ASN.  Currently, I have a router that has multiple interfaces
to a single provider, and is receiving full routes from the upstream.
The problem is that its only reporting the AS of 7018/AT&T the transit provider.

The AS 0 is not a big deal, what I'm bothered by is a single AS of 7018.
Shouldn't I be seeing the real AS, and not the next-hop-AS?  For instance,
my source/dest IP matrix reports an IP out of C&W, why isn't 3561 showing up in
the AS reports?

Router config snippit:
!
interface Serial2/1
 ip access-group 151 in
 ip access-group 152 out
 ip route-cache flow sampled
!
interface Serial2/2
 ip access-group 151 in
 ip access-group 152 out
 ip route-cache flow sampled
!
ip flow-export source Serial2/1
ip flow-export version 5 peer-as
ip flow-export destination a.b.c.d 9690
ip flow-sampling-mode packet-interval 200
!
ip flow-aggregation cache as
 export destination a.b.c.d 9691
 cache timeout inactive 10
 cache timeout active 1
 enabled
!

I have low timeouts on the AS aggregation cache so as to pump out records.  When
I do a flow-print on the flows I receive from the V8.1 exports, all I see are 7018:0
pairs.  But I see _many, many_ entries of 7018, all with varying information.
flow-print -f 10 < 2002-05-22.flows | more yields this:
srcAS  dstAS  in     out    flows       octets      packets     duration
7018   0      12     14     15          11708       17          39548
0      0      8      14     1           1500        1           0
7018   0      8      14     21          17089       25          114516
7018   0      11     14     14          11014       17          84580
7018   0      10     14     17          14657       25          82604
.. cut for brevity.

In regards to output of flow-stat, I see this for the src/dst AS report:
# Args:      /var/flowtools/bin/flow-stat -f21
#
#
# src AS          dst AS            flows                 octets                packets
#
7018              0                 3913404               3634839804            6210643
0                 0                 14965                 9516141               22323

My version 5 exports are yielding similar results.  I can generate reports
just fine using flow-stat -f10 on my merged version 5 flows.  However, if I try a -f21 on
my V5 records, I get the same result as those from v8.1...

What am I missing?  Cisco says it can be done, but I've followed the examples they've given
regarding configuring the router [I think].  I'm just not sure whether I'm misunderstanding
Netflow's operation and this simply can't be done, or if this is my lack of experience with
Netflow keeping me from doing this right.

-Mark
--
     Circular logic is self-validating. Therefore, it is correct.