[c-nsp] netflow with source-mac address?

Gert Doering gert at greenie.muc.de
Fri Mar 29 08:55:58 EDT 2013 

Hi,

On Fri, Mar 29, 2013 at 12:34:06PM +0000, Phil Mayers wrote:
> On 03/29/2013 10:38 AM, Gert Doering wrote:
> >the question came up elsewhere, and I'm looking for operational experience.
> >
> >Are there cisco platforms that will reliably and correctly fill in the
> >"source MAC address" in netflow records, for IPv4 and IPv6?  The packet
> >format permits it, but unless the hardware can do it, it's not that useful.
> >
> >(6500/Sup720 will just leave the source mac blank)
> 
> I thought they would fill it in for CPU-generated flows, but a wuick 
> look in our netflow suggests they're not.
> 
> I guess the tricky bit is "which MAC address" because of course there 
> could be one, two or dozens for a given flow. It's likely to be smaller 
> values, but in FnF terms do you want "mac" to be a "match" or "collect" 
> term?

Well, for maximum visibility, you need it to be a "match" item... and
yes, it might increase then number of flows if multiple peers send them
(for whatever reasons - spoofed sources, or load balancing).

OTOH, I cannot really see how it could be a "collect" item anyway - as
far as I understand, "collect" items are collected "from available sources"
the moment the flow is to be exported.  Now, which is the source for
"which MAC address did these packets come from"?

Software-based IOS on 7200 did have mac-accounting, which I find quite
useful to see where traffic came from at IXPs - you needed to have reliable
baselines to determine "oh, *that* MAC is now sending 500 Mbit/s, while
they normally only send 5".  6500/Sup720 can't do that either :-( 


> I have a vague recollection sup2T claimed to be able to do this?
> 
> >Use case: peering router at an IXP - you receive packets that "you don't
> 
> Oh, there's a bunch of use-cases - tracking actual origin for ACL denies 
> and uRPF fails, tracking real origin for anycast or DSR SLB packets, and 
> so on. It would certainly be a useful tool.

Yeah.  I just wanted to stop the "nobody needs this" side-track discussion
before it started, with a real-world example.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20130329/478c979b/attachment.sig>

More information about the cisco-nsp mailing list