[c-nsp] netflow not recording correct origin-as

Charles Sprickman spork at bway.net
Thu Jun 14 00:28:35 EDT 2012 

It's been a very long time since I touched netflow, but I recently
installed FlowViewer since I wanted to grab some stats (we collect
netflow data, but don't do much with it) since we are transit
shopping.  Thought it would be interesting to see, for example how
much traffic ends up somewhere like cogent to see if it's worth
throwing them in the mix.

After digging up from FlowViewer to "sh ip cache verbose flow", I'm
starting to think either I totally misunderstood how this works or
there's something wonky with IOS.  We have our own AS and we have
transit to HE.net and Level3.  If I run any report in flow-tools or
flowviewer that shows source/destination AS counts, it shows about
99% of my traffic with a source or destination AS of 3356.  This is
obviously not true - traffic graphs show that we run about 2/3
inbound from HE.  When I look at the src/dst AS in "sh ip cache
verbose flow", I see the same thing.  Here's a single line showing
what I believe is incorrect AS info:

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Fa2/0          86.21.123.0     AT3/0.2535     216.220.114.xxx 06 00  02       2 
E055 /0  3356                  2D3D /32 0     216.220.114.xxx        52     2.9

That's a flow from 86.21.123.0 which is AS 5089 to one of our
customers.  Fa2/0 is HE.net.  So not only is this flow not sourced
from AS3356, it's not even coming in via our transit link to 3356.
This seems totally wrong.

I'm on a 7206 w/an NPE-G2.  IOS 12.4(24)T6.

Both transit links have "ip flow ingress" and "ip flow egress".  I
also started with just ingress on those interfaces as well as an ATM
OC-3 interface and another GigE port, but the ATM interface did not
seem to be grabbing flows from the subinterfaces.  My AS problem is
the same with either configuration.

My export config is this:

ip flow-export source Loopback0
ip flow-export version 5 origin-as
ip flow-export destination 216.220.107.41 9800
ip flow-top-talkers
top 40
sort-by packets

Am I doing something obviously wrong here?

Thanks,

Charles
-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
spork at bway.net - 212.655.9344

More information about the cisco-nsp mailing list