Hi Andrew! Good Day!
Here's our situation. We have four(4) upstream providers and we are doing BGP to each of them. Right now, I have a netflow collector running flow-capture, flow-scan, and CUFlow. On my CUFlow.cf, I have specified the AS numbers of those four upstream providers so that in CUGrapher.pl, I can highlight those four AS in the dropdown and then generate in/out graphical representation of traffic going in and out of our network via those four AS. Next I have configure all ouf our routers to export version 5 peer-as to our collector. Have I done the right steps here? Next, I want to also graph the traffic going in and out of a particular AS we are interested in. If I include these AS numbers in my CUFlow.cf, I am guessing that the CUGrapher.pl will not produce any graphs for these AS numbers because the routers are exporting in peer-as instead of origin-as. Is my assumption here, correct? And as someone suggested, I will have to use CampusIO's extension to achieve both? The explanation for peer-as and origin-as below from cisco is a little bit confusing or lack of further explanation as to what is this term "export statistics". All I know is that, I have netflows that looks like this, as seen in flowdumper: FLOW index: 0xc7ffff router: zzzz src IP: x.x.x.x dst IP: yyyy input ifIndex: 1 output ifIndex: 27 src port: 53 dst port: 1036 pkts: 1 bytes: 367 IP nexthop: 0.0.0.0 start time: Mon Jan 29 23:59:45 2007 end time: Mon Jan 29 23:59:45 2007 protocol: 17 tos: 0x0 src AS: 1234 dst AS: 5678 src masklen: 24 dst masklen: 24 TCP flags: 0x0 engine type: 0 engine id: 0 And if I specify "peer-as" in my router ip flow-export configuration, the "src AS" will always be either one of those of our peer upstream providers where the ingress traffic passed by before it was seen by our routers, and the "dst AS" will always be the absolute destination AS. But what if the traffic originated from our own AS, meaning egress traffic. Will the "src AS" be our own AS number or still either of those upstream providers? Next, if I tell my routers to export using "origin-as", the "src AS" in my "FLOW" like that above, will always be the absolute source AS where the traffic came from, and the destination AS is unchanged as well (absolute). Lastly, can someone here suggest a way to know who is consuming the traffic we are seeing in our MRTG graphs? For example, our upstream provider A, at around 1:00 pm has reached 30M in MRTG scale. Given that the data source for this graph is the serial interface of our router facing the upstream provider A, how should I go about it using one of the flow-tools? Should I flow-cat the 12:00-1:00 pm flows and then flow-stat them or something? Did you have such goal like this before? Thanks. I hope that this will be clarified so that the next time a new flow-tools user searches the archive using "origin-as, peer-as" as keywords, he or she will retrieve something useful. ----- Original Message ---- From: Andrew Mabe <[EMAIL PROTECTED]> To: jay alvarez <[EMAIL PROTECTED]> Sent: Wednesday, January 31, 2007 12:31:25 AM Subject: Re: [Flow-tools] origin-AS vs peer-AS(RE: In my case, should I choose peer-as or origin-as??) From Cisco PDF: (Required) Enables the export of information in NetFlow cache entries. The version 9 keyword specifies that the export packet uses the Version 9 format. The origin-as keyword specifies that export statistics include the origin autonomous system (AS) for the source and destination. The peer-as keyword specifies that export statistics include the peer AS for the source and destination. The bgp-nexthop keyword specifies that export statistics include BGP next hop related information. This command enables the export of origin AS information as well as BGP next hop information from the NetFlow main cache. BTW: I use peer-as to graph my customers to/from my 9 ISP links. On Jan 29, 2007, at 9:45 PM, jay alvarez wrote: > > > ----- Original Message ---- > From: jay alvarez <[EMAIL PROTECTED]> > To: Mark Prior <[EMAIL PROTECTED]> > Cc: flow tools <[email protected]> > Sent: Monday, January 29, 2007 4:05:22 PM > Subject: origin-AS vs peer-AS(RE: In my case, should I choose peer- > as or origin-as??) > > > > ----- Original Message ---- > From: Mark Prior <[EMAIL PROTECTED]> > To: jay alvarez <[EMAIL PROTECTED]> > Cc: flow tools <[email protected]> > Sent: Wednesday, January 24, 2007 10:26:18 PM > Subject: Re: [Flow-tools] In my case, should I choose peer-as or > origin-as?? > > jay alvarez wrote: > >>> I'm only worried because I might be displaying erroneous reports, >>> let's say I use flow-stat to report the top > > destination or >>> source AS. > >> In that case you probably want origin-as. > >> Which version you choose depends on what data you want to mine and if >> you want to know about the ultimate source or destination of the >> traffic >> then you want origin-as. If you want to discover more about which >> upstream is sending you the traffic then you want peer-as. > > So if I choose origin-AS then I will be able to create reports for > top absolute destination AS and top absolute source AS, as well as > graphs (CUGrapher.pl) because each netflow record will contain > absolute source and destination ASNs, but if I specify peer-as, I > can only generate top absolute destination AS reports but the top > source ASN which will be recorded in its netflow record will always > be either of those four peer AS/upstream providers where that > particular traffic have passed through before it reaches our > routers. Can anyone clear this for me.. And lastly, someone have > suggested using experimental CampusIO extensions which can generate > reports for both origin and peer as, I'll see if it fits our needs. > > Thanks... > > > > Mark. > > > > > > > > ______________________________________________________________________ > ______________ > Need Mail bonding? > Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. > http://answers.yahoo.com/dir/?link=list&sid=396546091 > > > > > > > ______________________________________________________________________ > ______________ > Cheap talk? > Check out Yahoo! Messenger's low PC-to-Phone call rates. > http://voice.yahoo.com > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools ____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
