jay alvarez writes:
> And if I specify "peer-as" in my router ip flow-export
> configuration, the "src AS" will always be either one of those of
> our peer upstream providers where the ingress traffic passed by
> before it was seen by our routers,
This is not generally true. The "src AS" will be what the exporting
router (yours) finds in its BGP table as the next-hop AS for the
source IP address of the flow.
This may or may not be the BGP neighbor that actually sent you the
packets, as routes are often asymmetric.
[I know this was not the main point of your post, but since many
Netflow users misunderstand this, it bears noting.]
The only reliable way to find out, from Netflow data, which of your
neighbors sent you the traffic, is the input interface index[1], and
that is precise only for point-to-point links. At an exchange point,
you have no way to find out - from NetFlow data - who really sent you
something.
> and the "dst AS" will always be the absolute destination AS. But
> what if the traffic originated from our own AS, meaning egress
> traffic. Will the "src AS" be our own AS number or still either of
> those upstream providers?
I would expect the src AS to be zero, at least when an IGP is used to
reach the source address. Why should it be your upstream's?
--
Simon.
[1] On some platforms, notably the Catalyst 6500/7600 OSR, you must
select a Netflow mask including the input interface to get
reliable input-interface information. Otherwise this will also be
derived from the router's routing table, with possibly wrong
results in the presence of asymmetries.
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
