[c-nsp] netflow with source-mac address?
Phil Mayers
p.mayers at imperial.ac.uk
Fri Mar 29 08:34:06 EDT 2013
On 03/29/2013 10:38 AM, Gert Doering wrote:
> Hi,
>
> the question came up elsewhere, and I'm looking for operational experience.
>
> Are there cisco platforms that will reliably and correctly fill in the
> "source MAC address" in netflow records, for IPv4 and IPv6? The packet
> format permits it, but unless the hardware can do it, it's not that useful.
>
> (6500/Sup720 will just leave the source mac blank)
I thought they would fill it in for CPU-generated flows, but a wuick
look in our netflow suggests they're not.
I guess the tricky bit is "which MAC address" because of course there
could be one, two or dozens for a given flow. It's likely to be smaller
values, but in FnF terms do you want "mac" to be a "match" or "collect"
term?
I have a vague recollection sup2T claimed to be able to do this?
> Use case: peering router at an IXP - you receive packets that "you don't
Oh, there's a bunch of use-cases - tracking actual origin for ACL denies
and uRPF fails, tracking real origin for anycast or DSR SLB packets, and
so on. It would certainly be a useful tool.
More information about the cisco-nsp
mailing list