Re: [pmacct-discussion] Cisco NCS - IPFIX 315 - sampling_rate and outer qtag not detected

2023-07-31 Thread Tiago Felipe Gonçalves 
Hi Paolo,

Thanks for the prompt answer and support as usual, we really appreciate it.
I’ll forward the pcap directly to you.


Thanks again, and have a nice week!

> On 29 Jul 2023, at 23:43, Paolo Lucente  wrote:
> 
> 
> Hi Tiago,
> 
> Great to read from you, about your issues:
> 
> 1) can you send me a pcap with a data packet and the templates, both
> data and sampling option? Being able to replay it will give me a chance
> to understand what may be wrong.
> 
> 2) vlan_out refers to the vlan after, say, some re-tagging took place.
> It does not refer to outer vs inner vlan. What you are looking for is
> cvlan. Problem being cvlan is not currently supported as an aggregation
> primitive but only as a filter in the pre_tag_map. Implementing this
> would not be a biggie & can squeeze in the dev cycles pretty easily;
> just as above, i'd just ask you if you can send me some sample data so
> not to perform the coding blindly.
> 
> Paolo
> 
> 
> On Thu, Jul 27, 2023 at 08:41:17PM +, Tiago Felipe Gonçalves wrote:
>> Hi,
>> 
>> I’m using sfacctd, and nfacctd to collect/digest flows, but I’m having two 
>> issues with IPFIX 315 being exported by Cisco NCSs on my lab environment.
>> 
>> ===
>> 1. The router is sending sampling rate template, but nfacctd is unable to 
>> detect it:
>> Cisco NetFlow/IPFIX
>>Version: 10
>>Length: 140
>>Timestamp: Jul 27, 2023 21:23:32.0 CEST
>>ExportTime: 1690485812
>>FlowSequence: 4603756
>>Observation Domain Id: 4096
>>Set 1 [id=257] (1 flows)
>>FlowSet Id: (Data) (257)
>>FlowSet Length: 124
>>[Template Frame: 3]
>>Flow 1
>>Selector Id: 1
>>Sampling Packet Interval: 32000
>>Selector Algorithm: Random n-out-of-N Sampling (3)
>>Sampling Size: 1
>>Sampling Population: 32000
>>SamplerName: ipfix_sm
>>Selector Name: ipfix_sm
>>String_len_short: 8
>>Padding: 00
>> 
>> Seems that nfacctd understand the template:
>> 
>> DEBUG ( default/core ): Received NetFlow/IPFIX packet from 
>> [192.168.245.145:21660] version [10] seqno [4621414]
>> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from 
>> [192.168.245.145:21660] seqno [4621414]
>> DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096
>> DEBUG ( default/core ): NfV10 template type : options
>> DEBUG ( default/core ): NfV10 template ID   : 338
>> DEBUG ( default/core ): 
>> -
>> DEBUG ( default/core ): |pen | field type | offset | 
>>  size  |
>> DEBUG ( default/core ): | 0  | 149[149  ] |  0 | 
>>  4 |
>> DEBUG ( default/core ): | 0  | 160[160  ] |  4 | 
>>  8 |
>> DEBUG ( default/core ): 
>> -
>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 12
>> DEBUG ( default/core ):
>> DEBUG ( default/core ): Received NetFlow/IPFIX packet from 
>> [192.168.245.145:21660] version [10] seqno [4621414]
>> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [338] from 
>> [192.168.245.145:21660] seqno [4621414]
>> DEBUG ( default/core ): Received NetFlow/IPFIX packet from 
>> [192.168.245.145:21660] version [10] seqno [4621415]
>> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from 
>> [192.168.245.145:21660] seqno [4621415]
>> DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096
>> DEBUG ( default/core ): NfV10 template type : options
>> DEBUG ( default/core ): NfV10 template ID   : 257
>> DEBUG ( default/core ): 
>> -
>> DEBUG ( default/core ): |pen | field type | offset | 
>>  size  |
>> DEBUG ( default/core ): | 0  | 302[302  ] |  0 | 
>>  4 |
>> DEBUG ( default/core ): | 0  | 305[305  ] |  4 | 
>>  4 |
>> DEBUG ( default/core ): | 0  | 304[304  ] |  8 | 
>>  2 |
>> DEBUG ( default/core ): | 0  | 309[309  ] | 10 | 
>>  4 |
>> DEBUG ( default/core ): | 0  | 310[310  ] | 14 | 
>>  4 |
>> DEBUG ( default/cor

[pmacct-discussion] Cisco NCS - IPFIX 315 - sampling_rate and outer qtag not detected

2023-07-27 Thread Tiago Felipe Gonçalves 
 106
Data Link Frame Section: 
7800044c5ee76800042e0ba6810003f481640800450004ce04d27f06dc7cc612…
Ethernet II, Src: 68:00:04:2e:0b:a6 (68:00:04:2e:0b:a6), Dst: 
78:00:04:4c:5e:e7 (78:00:04:4c:5e:e7)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1012
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
Internet Protocol Version 4, Src: 198.18.101.91, Dst: 198.18.100.91
Transmission Control Protocol, Src Port: 48482, Dst Port: 80, Seq: 
129018, Len: 44
String_len_short: 106

But I’m unable to get vlan_out:
{"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst": 
"78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800", 
"peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0, 
"stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0, 
"bytes": 0}

Interface config:
interface Bundle-Ether1.1012 l2transport
 encapsulation dot1q 1012 second-dot1q 100
 rewrite ingress tag pop 2 symmetric
 flow datalinkframesection monitor ipfix_mon sampler ipfix_sm ingress
!

IPFIX config:
flow exporter-map ipfix_exp
 version ipfix
  options sampler-table
  template options timeout 30
 !
 dscp 40
 transport udp 2100
 source MgmtEth0/RP0/CPU0/0
 destination 192.168.245.240
!
flow monitor-map ipfix_mon
 record datalinksectiondump
 exporter ipfix_exp
 cache immediate
 cache entries 100
 cache timeout rate-limit 100
!
sampler-map ipfix_sm
 random 1 out-of 32000

Can you please help me with that too? Also, similar setup works for sflow.

===

# nfacctd -V
NetFlow Accounting Daemon, nfacctd 1.7.8-git [20221231-1 (723b0cb2)]

Thanks in advance for any inputs.


--
(Atenciosamente|Best regards|Cordiali Saluti|Vriendelijke groeten),

Tiago Felipe Gonçalves
PGP Fingerprint - A2:82:BD:48:EE:8D:C4:99:C2:4E:81:D4:C4:7B:1C:2E:C7:F3:04:C9
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists