[flow-tools] final destination ASN export

Mark Fullmer maf@splintered.net
Thu, 23 May 2002 11:08:34 -0400 

> ip flow-export version 5 peer-as

Change this to

ip flow-export version 5 origin-as

mark

On Thu, May 23, 2002 at 09:34:54AM -0500, Mark Turpin wrote:
> Well, this was touched on last year slightly, however the individual in the
> archives was looking for full AS path information.  I am interested in the
> final destination ASN.  Currently, I have a router that has multiple interfaces
> to a single provider, and is receiving full routes from the upstream.
> The problem is that its only reporting the AS of 7018/AT&T the transit provider.
> 
> The AS 0 is not a big deal, what I'm bothered by is a single AS of 7018.
> Shouldn't I be seeing the real AS, and not the next-hop-AS?  For instance,
> my source/dest IP matrix reports an IP out of C&W, why isn't 3561 showing up in
> the AS reports?
> 
> Router config snippit:
> !
> interface Serial2/1
>  ip access-group 151 in
>  ip access-group 152 out
>  ip route-cache flow sampled
> !
> interface Serial2/2
>  ip access-group 151 in
>  ip access-group 152 out
>  ip route-cache flow sampled
> !
> ip flow-export source Serial2/1
> ip flow-export version 5 peer-as
> ip flow-export destination a.b.c.d 9690
> ip flow-sampling-mode packet-interval 200
> !
> ip flow-aggregation cache as
>  export destination a.b.c.d 9691
>  cache timeout inactive 10
>  cache timeout active 1
>  enabled
> !
> 
> I have low timeouts on the AS aggregation cache so as to pump out records.  When
> I do a flow-print on the flows I receive from the V8.1 exports, all I see are 7018:0
> pairs.  But I see _many, many_ entries of 7018, all with varying information.
> flow-print -f 10 < 2002-05-22.flows | more yields this:
> srcAS  dstAS  in     out    flows       octets      packets     duration
> 7018   0      12     14     15          11708       17          39548
> 0      0      8      14     1           1500        1           0
> 7018   0      8      14     21          17089       25          114516
> 7018   0      11     14     14          11014       17          84580
> 7018   0      10     14     17          14657       25          82604
> .. cut for brevity.
> 
> In regards to output of flow-stat, I see this for the src/dst AS report:
> # Args:      /var/flowtools/bin/flow-stat -f21
> #
> #
> # src AS          dst AS            flows                 octets                packets
> #
> 7018              0                 3913404               3634839804            6210643
> 0                 0                 14965                 9516141               22323
> 
> My version 5 exports are yielding similar results.  I can generate reports
> just fine using flow-stat -f10 on my merged version 5 flows.  However, if I try a -f21 on
> my V5 records, I get the same result as those from v8.1...
> 
> What am I missing?  Cisco says it can be done, but I've followed the examples they've given
> regarding configuring the router [I think].  I'm just not sure whether I'm misunderstanding
> Netflow's operation and this simply can't be done, or if this is my lack of experience with
> Netflow keeping me from doing this right.
> 
> -Mark
> --
>      Circular logic is self-validating. Therefore, it is correct.
> 
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools