Hi David, My first suggestion would be to double-check what happens by binding a tcpdump to the interface 'any' and see, ie. is traffic (all or specific patterns) being captured twice or more times?
The configuration looks OK; i assume these two boxes are L3-only (not bridging anything); also as i see your filters don't include the 'vlan and ...' wording, where VLANs are terminated? What happens if VRRP points customers to one Quagga box but actually is the other to advertise the best BGP path to destination? I assume traffic would flow between the two Quagga boxes and be accounted some extra times but with different agent_id values: any chance is this the case? Let me know. Cheers, Paolo On Tue, May 05, 2009 at 09:15:27PM +1000, David Hill [eStation] wrote: > Hi All, > > We're currently evaluating running pmacctd on some linux-based routers and > we're having issues with pmacctd grossly over-reporting the amount of > traffic passing through the systems. Our testing has shown that the daemon > is logging values roughly 6 times greater than actual traffic flowing > through the system. > > Can someone please take a look at the below and see if anything grabs their > attention as being wrong? I'm unable to find anything abnormal in the below > setup. > > The network is structured as follows: > > - Two routers running Quagga for BGP and OSPF, Keepalived for VRRP and > pmacctd (version 0.11.6) for traffic accounting. > - Each router has 8 VLANs - 4 VLANs for upstream/transit traffic and 4 VLANs > for customers. > - Both pmacctd instances are logging to a central PostgreSQL server. > - We have one /20 that we want to account for traffic on a per IP basis > (network a.a.a.a/20), plus two /22's (network b.b.b.b/22 and c.c.c.c/22), > two /23's (d.d.d.d/23 and e.e.e.e/23) and one /24 (f.f.f.f/24) that we want > to account for on a per network basis. > - pmacctd is configured to set a different agent_id for traffic depending on > which router is generating the record in the database and whether the > traffic is being accounted on a per IP or per network basis. > - pmacctd is started on each router as a daemon listening on interface > 'any'. My understanding is that we would see the traffic twice using this > interface (once on the transit interface and once on a customer interface). > > Below is the pmacctd.conf file contents: > > aggregate[inbound1]: tag,dst_host > aggregate[inbound2]: tag,dst_net > aggregate[outbound1]: tag,src_host > aggregate[outbound2]: tag,src_net > networks_file: /etc/pmacct/networks > plugin_buffer_size: 20480 > plugin_pipe_size: 20480000 > plugins: pgsql[inbound1],pgsql[outbound1],pgsql[inbound2],pgsql[outbound2] > post_tag[inbound1]: 1 > post_tag[inbound2]: 11 > post_tag[outbound1]: 1 > post_tag[outbound2]: 11 > pre_tag_filter[inbound1]: 1 > pre_tag_filter[inbound2]: 3 > pre_tag_filter[outbound1]: 2 > pre_tag_filter[outbound2]: 4 > pre_tag_map: /etc/pmacct/pretag.map > promisc: true > refresh_maps: true > sql_data: typed > sql_db: traffic > sql_history: 1h > sql_history_roundoff: h > sql_host: sqlserver > sql_locking_style: row > sql_optimize_clauses: true > sql_passwd: password > sql_recovery_logfile[inbound1]: /var/log/pmacct/recovery-any-inbound1.log > sql_recovery_logfile[inbound2]: /var/log/pmacct/recovery-any-inbound2.log > sql_recovery_logfile[outbound1]: /var/log/pmacct/recovery-any-outbound1.log > sql_recovery_logfile[outbound2]: /var/log/pmacct/recovery-any-outbound2.log > sql_refresh_time: 90 > sql_startup_delay[inbound1]: 30 > sql_startup_delay[inbound2]: 60 > sql_startup_delay[outbound1]: 30 > sql_startup_delay[outbound2]: 60 > sql_table[inbound1]: ri_%Y%m > sql_table[inbound2]: ri_%Y%m > sql_table[outbound1]: ro_%Y%m > sql_table[outbound2]: ro_%Y%m > sql_table_schema[inbound1]: /etc/pmacct/traffic-inbound.schema > sql_table_schema[inbound2]: /etc/pmacct/traffic-inbound.schema > sql_table_schema[outbound1]: /etc/pmacct/traffic-outbound.schema > sql_table_schema[outbound2]: /etc/pmacct/traffic-outbound.schema > sql_table_version: 2 > sql_user: traffic > > Our /etc/pmacct/pretag.map file is as follows (each entry is on a single > line): > > id=1 filter='dst net (a.a.a.a/20 or b.b.b.b/22) and not src net (a.a.a.a/20 > or b.b.b.b/22 or c.c.c.c/22 or d.d.d.d/23 or e.e.e.e/23 or f.f.f.f/24)' > id=2 filter='src net (a.a.a.a/20 or b.b.b.b/22) and not dst net (a.a.a.a/20 > or b.b.b.b/22 or c.c.c.c/22 or d.d.d.d/23 or e.e.e.e/23 or f.f.f.f/24)' > id=3 filter='dst net (f.f.f.f/24 or e.e.e.e/23 or d.d.d.d/23 or c.c.c.c/22) > and not src net (a.a.a.a/20 or b.b.b.b/22 or c.c.c.c/22 or d.d.d.d/23 or > e.e.e.e/23 or f.f.f.f/24)' > id=4 filter='src net (f.f.f.f/24 or e.e.e.e/23 or d.d.d.d/23 or c.c.c.c/22) > and not dst net (a.a.a.a/20 or b.b.b.b/22 or c.c.c.c/22 or d.d.d.d/23 or > e.e.e.e/23 or f.f.f.f/24)' > > Our /etc/pmacct/networks file is as follows: > > a.a.a.a/20 > b.b.b.b/22 > c.c.c.c/22 > d.d.d.d/23 > e.e.e.e/23 > f.f.f.f/24 > > Can anyone see any issues with the above? Please let me know if I've omitted > any information. > > Regards, > > David Hill > eStation Australia Pty Ltd > http://www.estation.com.au > --------------------------- > Telephone 03 9725 8759 > Facsimile 03 9725 6388 > > Address Suite 4, 6 Thomas Brew Lane, Croydon, Victoria, 3136 > Postal PO Box 4084, Croydon Hills, Victoria, 3136 > > eStation Australia Pty Ltd > ACN??????? 097 354 348 > ABN??????? 51 097 354 348 > --------------------------- _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
