[nsp] Where does OriginAS and PeerAS come from?

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Sep 4 09:07:52 EDT 2003 

Hi Pete,

> When a Cisco router reports a flow via Netflow, how does it
> determine the OriginAS (or PeerAS) it reports?

It does a FIB lookup and takes the AS stored in the FIB.
BTW: As there is only limited space in the FIB for stuff like this, we
store either peer-as or origin-as in the FIB. This is why "ip
flow-export version 5 {peer-as|origin-as}" is a global command applied
to all prefixes.
The AS is shown when you do a "show ip cef <prefix>":

router#sh ip cef 198.133.219.0
198.133.219.0/24, version 12932571, epoch 0, per-destination sharing
0 packets, 0 bytes
  Flow: AS 109, mask 24  <--------

> I assume Netflow does a route (EGP and IGP) lookup, to see
> what prefix matches the source address and input interface
> of the flow (is that a RIB lookup or a FIB lookup?). Is
> there more to it than that?

We don't look at the input interface, we do a straight FIB lookup for
the source and dest address.

> Does my routing policy influence which PeerAS is recorded?
> Does Netflow always record the PeerAS associated with the
> input interface, regardless of what (outbound) route may be
> preferred?
>
> For example, if I receive a particular route on interface A
> and B--from peers A and B, and I prefer the route from B,
> what does NetFlow record for a PeerAS if a packet arrives on
> interface A?

It'll report B as the FIB entry contains "B".

> What if I filtered the incoming route from A altogether, so
> the only route in my table was the one from B? Packet
> arrives on interface A from peer A, does Netflow show the
> PeerAS being A or B?

B.

> (Presumably this wouldn't be an issue for OriginAS, but
> there are times when the same prefix originates from
> different ASN's--does Netflow pick the right one regardless
> of my routing policy?)

no, see above.

If you want to achieve an exact per-neighbor accounting in this
scenario, you need to take the input ifIndex reported in the flows into
account, or you want to use other accounting methods like BGP Policy
Accounting which are bound to an interface.

	oli

More information about the cisco-nsp mailing list