[c-nsp] netflow with source-mac address?

Gert Doering gert at greenie.muc.de
Fri Mar 29 06:38:02 EDT 2013


Hi,

the question came up elsewhere, and I'm looking for operational experience.

Are there cisco platforms that will reliably and correctly fill in the
"source MAC address" in netflow records, for IPv4 and IPv6?  The packet
format permits it, but unless the hardware can do it, it's not that useful.

(6500/Sup720 will just leave the source mac blank)

Use case: peering router at an IXP - you receive packets that "you don't
want" (for whatever reason) and want to be sure which peer sent them
to you.  Using the source IP address is no reliable indicator for
"which peer did it come from" - it could be spoofed, there could be
asymmetric routing, etc. - so the only reliable indicator is "source MAC"
(assuming the IXP does source-MAC filtering, this cannot be spoofed,
even if a bad guy controls the peer router).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20130329/a121dc3d/attachment.sig>


More information about the cisco-nsp mailing list