[j-nsp] ipfix is not accounting next-ip firewall actions properly
Tobias Heister
lists at tobias-heister.de
Wed Jun 24 06:56:38 EDT 2020
Hi,
On 24.06.2020 12:28, Marcel Bößendörfer wrote:
> *Issue: *However, IPFIX is not considering the next-ip, instead it's acting
> like the next-ip would not exist at all. That means, traffic from
> 192.168.0.2 is reported to be egressing multiple interfaces like the router
> would handle it without the next-ip rule. So it seems that the sampling is
> taking place before the firewall rule is applied. This is a very unexpected
> behaviour. In reality traffic from that source IP is only egressing the
> interface that's related to 192.168.1.1.
I have seen things like this with Flow Export on MX before. In my case it was filter based forwarding towards a different RI with different interfaces for TE purposes. In that case the flow export would match the "Original" destination before the FBF took place which lead to wrong flow statistics on $collector.
This was years ago and i never checked back on that, seems like the behavior is still there.
I kind of remember it happening for flow-spec drop/rate-loimit routes/filters as well. So Flow would still report the traffic ingressing the interfaces while the filters were already blocking them. Which in the Case of flow-Spec was a good thing, because you could keep the announcement active as long as the attack lasted.
--
Kind Regards
Tobias Heister
More information about the juniper-nsp
mailing list