Mike: Are you concerned that the exporting device is NAT/PAT/Masq so you cannot tell which device was the true exporter? Or are you concerned that you cannot identify which host was the true sender of traffic because its IP address is mangled somewhere?
Unfortunately, every time traffic passes a layer 3 device, the MAC address is rewritten. So this is true for routers and firewalls. If you are concerned about the first scenario, where for instance you have two exporting routers behind the same firewall, and the flow collector cannot distinguish between the two exporters, your options might be limited to creating a tunnel for the packets to the collector. Or, using hardware, you could add another interface to your collector, and also plug it in before the firewall. In case of host addresses getting mangled, you might not have control over that. If this is done at your own local network, you can put a flow collector in their subnet, you have some software exporter options, if you don't want to use another hardware device. In neither case is the MAC address option of NetFlow 9 going to help you much. It simply forces a router to also record the MAC address of the traffic it relays, in addition to the IP address it sees... Hope that helps -Vince > In RFC3954 - Cisco Systems NetFlow Services Export Version 9 > http://www.faqs.org/rfcs/rfc3954.html > > Field Type Value Length Description > (bytes) > SRC_MAC 56 6 Source MAC Address > > When using a firewall that does NAT or PAT does the original MAC address get > preserved in the packet or is the firewall MAC address substituted? > > > > ____________________________________________________________________ > List archives: > http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ > To unsubscribe: send email to: [EMAIL PROTECTED] > ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED]
