Hi, On Fri, Mar 29, 2013 at 12:34:06PM +0000, Phil Mayers wrote: > On 03/29/2013 10:38 AM, Gert Doering wrote: > >the question came up elsewhere, and I'm looking for operational experience. > > > >Are there cisco platforms that will reliably and correctly fill in the > >"source MAC address" in netflow records, for IPv4 and IPv6? The packet > >format permits it, but unless the hardware can do it, it's not that useful. > > > >(6500/Sup720 will just leave the source mac blank) > > I thought they would fill it in for CPU-generated flows, but a wuick > look in our netflow suggests they're not. > > I guess the tricky bit is "which MAC address" because of course there > could be one, two or dozens for a given flow. It's likely to be smaller > values, but in FnF terms do you want "mac" to be a "match" or "collect" > term?
Well, for maximum visibility, you need it to be a "match" item... and
yes, it might increase then number of flows if multiple peers send them
(for whatever reasons - spoofed sources, or load balancing).
OTOH, I cannot really see how it could be a "collect" item anyway - as
far as I understand, "collect" items are collected "from available sources"
the moment the flow is to be exported. Now, which is the source for
"which MAC address did these packets come from"?
Software-based IOS on 7200 did have mac-accounting, which I find quite
useful to see where traffic came from at IXPs - you needed to have reliable
baselines to determine "oh, *that* MAC is now sending 500 Mbit/s, while
they normally only send 5". 6500/Sup720 can't do that either :-(
> I have a vague recollection sup2T claimed to be able to do this?
>
> >Use case: peering router at an IXP - you receive packets that "you don't
>
> Oh, there's a bunch of use-cases - tracking actual origin for ACL denies
> and uRPF fails, tracking real origin for anycast or DSR SLB packets, and
> so on. It would certainly be a useful tool.
Yeah. I just wanted to stop the "nobody needs this" side-track discussion
before it started, with a real-world example.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgprWZlYfcjuE.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
