[c-nsp] netflow with source-mac address?
Gert Doering
gert at greenie.muc.de
Fri Mar 29 08:55:58 EDT 2013
Hi,
On Fri, Mar 29, 2013 at 12:34:06PM +0000, Phil Mayers wrote:
> On 03/29/2013 10:38 AM, Gert Doering wrote:
> >the question came up elsewhere, and I'm looking for operational experience.
> >
> >Are there cisco platforms that will reliably and correctly fill in the
> >"source MAC address" in netflow records, for IPv4 and IPv6? The packet
> >format permits it, but unless the hardware can do it, it's not that useful.
> >
> >(6500/Sup720 will just leave the source mac blank)
>
> I thought they would fill it in for CPU-generated flows, but a wuick
> look in our netflow suggests they're not.
>
> I guess the tricky bit is "which MAC address" because of course there
> could be one, two or dozens for a given flow. It's likely to be smaller
> values, but in FnF terms do you want "mac" to be a "match" or "collect"
> term?
Well, for maximum visibility, you need it to be a "match" item... and
yes, it might increase then number of flows if multiple peers send them
(for whatever reasons - spoofed sources, or load balancing).
OTOH, I cannot really see how it could be a "collect" item anyway - as
far as I understand, "collect" items are collected "from available sources"
the moment the flow is to be exported. Now, which is the source for
"which MAC address did these packets come from"?
Software-based IOS on 7200 did have mac-accounting, which I find quite
useful to see where traffic came from at IXPs - you needed to have reliable
baselines to determine "oh, *that* MAC is now sending 500 Mbit/s, while
they normally only send 5". 6500/Sup720 can't do that either :-(
> I have a vague recollection sup2T claimed to be able to do this?
>
> >Use case: peering router at an IXP - you receive packets that "you don't
>
> Oh, there's a bunch of use-cases - tracking actual origin for ACL denies
> and uRPF fails, tracking real origin for anycast or DSR SLB packets, and
> so on. It would certainly be a useful tool.
Yeah. I just wanted to stop the "nobody needs this" side-track discussion
before it started, with a real-world example.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20130329/478c979b/attachment.sig>
More information about the cisco-nsp
mailing list