[c-nsp] Netflow coutners on a PE less than on gateway

Kim Onnel karim.adel at gmail.com
Thu May 19 12:37:02 EDT 2005 

Let me rephrase it:

I export from our internet gateway to a netflow analysis software
which is supposed to report DDoS attacks upon reading a specified
number of packets above configured threshold and it does that in
memory not files:

----------------------------------

#Default ICMP alert values in format pkts/sec,KBytes/sec
DefaultICMP                         128,64

#Syn Flood alert level (for all interfaces) in syn/sec
SynFloodAlertLevel                  100
----------------------------------------

When i export from the 7600 internet gateway or even "sh ip cache flow
| in K " on it , i dont get too many attacks or (whatever caused alot
of flows)


7600 internet Gateway:

7600#sh ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-PSV-M), Version 12.2(18)SXD, RELEASE SOFT
WARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 28-Jul-04 22:49 by cmong
Image text-base: 0x4002100C, data-base: 0x42040000

ROM: System Bootstrap, Version 12.2(14r)S9, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-PSV-M), Version 12.2(18)SXD, RELEASE SOFT
WARE (fc2)

7600 uptime is 17 weeks, 2 days, 12 hours, 3 minutes
Time since 7600 switched to active is 17 weeks, 2 days, 12 hours, 3 minutes
System returned to ROM by power-on (SP by power-on)
System restarted at 07:26:36 CAI Tue Jan 18 2005
System image file is "sup-bootflash:s72033-psv-mz.122-18.SXD.bin"

cisco CISCO7609 (R7000) processor (revision 1.0) with 458720K/65536K bytes of me
mory.
Processor board ID FOX080605Y8
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
X.25 software, Version 3.0.0.
Bridging software.
2 FlexWAN controllers (2 Serial)(2 POS).
1 Virtual Ethernet/IEEE 802.3  interface(s)
4 Gigabit Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
2 Packet over SONET network interface(s)
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102


7600#sh run | in flow
mls flow ip interface-full
no mls flow ipv6
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination xx.Xx.235.194 2055
7600#

7600#sh run | in mls
mls aging fast time 5 threshold 32
mls aging long 300
mls aging normal 60
mls flow ip interface-full
no mls flow ipv6
mls nde sender version 5
mls qos
mls cef error action freeze



7600#sh mls netflow table-contention summary
Earl in Module 5
Summary of Netflow CAM Utilization (as a percentage)
====================================================
TCAM Utilization             :   99%
ICAM Utilization             :   0%
Netflow Creation Failures    :   140560
Netflow CAM aliases          :   0

________________________________________________________________________


Now on a 7206vxr that is BGP peering with customers :

GATEWAY#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JS-M), Version 12.2(10d), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 13-May-03 16:11 by pwade
Image text-base: 0x60008940, data-base: 0x61626000

ROM: System Bootstrap, Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVEL
OPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.1(8a)E, EARLY DEPLOYMENT RELE
ASE SOFTWARE (fc1)

GATEWAY uptime is 1 week, 4 days, 23 hours, 17 minutes
System returned to ROM by power-on
System restarted at 20:00:24 CAI Sat May 7 2005
System image file is "disk1:c7200-js-mz.122-10d.bin"

cisco 7206VXR (NPE400) processor (revision A) with 114688K/16384K bytes of memor
y.
Processor board ID 26810540
R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2, 4096KB L3 Cache
6 slot VXR midplane, Version 2.6

Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
2 FastEthernet/IEEE 802.3 interface(s)
8 Serial network interface(s)
2 ATM network interface(s)
125K bytes of non-volatile configuration memory.

47040K bytes of ATA PCMCIA card at slot 1 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102




BGP_Customers#sh ip cache flow | in K
Fa0/0         x.81.140.110   Mu1           x3.181.228.23  11 3CB2 491C    13K
Fa0/0         x.48.42.10     AT4/0         x.12.236.43   06 0548 096E    12K
AT4/0         1x.204.225.211 Fa0/0         x1.226.143.27   11 5026 4A4F    14K
Fa0/0         x.181.39.120   AT4/0         2x3.212.208.142 11 692F 15E2    17K
Fa0/0         x.198.219.182 AT4/0         x6.204.225.211 11 C00A 5026    14K
Mu1           x.181.228.21  Fa0/0         x.134.13.206   06 6ECC 2277    11K
AT4/0         2x.212.208.142 Fa0/0         x.181.39.120   11 15E2 692F    18K
AT4/0         x.129.214.22   Fa0/0         x.27.3.197     06 07CE 1236    13K
AT4/0         x.129.214.22   Fa0/0         x.190.236.156  06 0586 1236    19K
Fa0/0         x.88.92.149    AT2/0         1xx.246.48.134  06 1179 18CA    20K
Fa0/0         x.233.161.107  AT4/0         x.21.97.11     06 0050 E61B    12K
Fa0/0         x.182.61.91    Mu1           2x.181.228.23  11 5AE0 491C    12K
AT4/0         x.204.225.211 Fa0/0         x.198.219.182 11 5026 C00A    12K
Fa0/0         x.21.43.83     AT4/0         x.12.235.150  11 2A57 53E4    10K

BGP_Customers#sh run | in flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
 ip route-cache flow
ip flow-export source Loopback1
ip flow-export version 5


The problem is : 

When i export from the BGP peering customers to the same software, i
get far too many alarms, which is not logical for me, the gateway is
getting all the flows from the dial/adsl/corp. customers and still
reporting less attacks than only when i export from the  BGP peering
customers router, thats my concern ?


Thanks Oliver,

Regards


On 5/19/05, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> Kim Onnel <> wrote on Thursday, May 19, 2005 5:27 PM:
> 
> > Hi,
> >
> > I cant explain why when i do a "sh ip cache flow  | in K" on one of my
> > PEs i see alot of
> >
> [...]
> >
> > And thats just one PE, if i go to the gateway of internet and do the
> > same command, i expect to see the exact numbers and even more, but i
> > get nothing
> >
> > Why ?
> 
> My crystal ball is broken, can't tell :-)
> 
> Seriously: without some info about your netflow config on the Internet
> gateway, there is not much we can do. Which platform is this? Did you
> enable netflow on all the interfaces? Do you see *any* flows?
> 
>         oli
>

More information about the cisco-nsp mailing list