[c-nsp] netflow not recording correct origin-as
Gert Doering
gert at greenie.muc.de
Thu Jun 14 04:16:04 EDT 2012
Hi,
On Thu, Jun 14, 2012 at 12:28:35AM -0400, Charles Sprickman wrote:
> That's a flow from 86.21.123.0 which is AS 5089 to one of our
> customers. Fa2/0 is HE.net. So not only is this flow not sourced
> from AS3356, it's not even coming in via our transit link to 3356.
> This seems totally wrong.
Flows source AS numbers are not mapped by inbound interface or whatever,
but by mapping of the source address to BGP-bestpath. So if you would
send outbound packets to that IP address to 3356, that's the AS number
you'd see.
As for "why do you see AS 3356 in the flow records if the traffic does
not end in 3356" - do you, by change, have an incomplete BGP table plus
a default route coming in from 3356? In that case, everything matched
by the default route would be "3356".
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120614/83fac8d7/attachment.sig>
More information about the cisco-nsp
mailing list