We are a service provider and the routers outside our customer firewalls are ours. Our customers frequently ask why is bandwidth usage so high and what is the cause. They do not have the technology inside their LANS and even if they did, the top ten in a LAN switch will probably have no bearing on the top 10 that reaches the router outside the firewall.
None the firewalls our routers are in front of at customer sites are NetFlow capable. So the question becomes with private networks how does NetFlow help at all at the router as far as host info when there is only one IP address hitting the router as the re-written? As the MAC address in is in the datagram but it is not part of the header I had hoped it was the original MAC address. -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Vincent Berk Sent: Thursday, September 18, 2008 5:50 PM To: InterMapper Discussion Subject: Re: [IM-Talk] Net Flow and MAC addresses Mike: Are you concerned that the exporting device is NAT/PAT/Masq so you cannot tell which device was the true exporter? Or are you concerned that you cannot identify which host was the true sender of traffic because its IP address is mangled somewhere? Unfortunately, every time traffic passes a layer 3 device, the MAC address is rewritten. So this is true for routers and firewalls. If you are concerned about the first scenario, where for instance you have two exporting routers behind the same firewall, and the flow collector cannot distinguish between the two exporters, your options might be limited to creating a tunnel for the packets to the collector. Or, using hardware, you could add another interface to your collector, and also plug it in before the firewall. In case of host addresses getting mangled, you might not have control over that. If this is done at your own local network, you can put a flow collector in their subnet, you have some software exporter options, if you don't want to use another hardware device. In neither case is the MAC address option of NetFlow 9 going to help you much. It simply forces a router to also record the MAC address of the traffic it relays, in addition to the IP address it sees... Hope that helps -Vince > In RFC3954 - Cisco Systems NetFlow Services Export Version 9 > http://www.faqs.org/rfcs/rfc3954.html > > Field Type Value Length Description > (bytes) > SRC_MAC 56 6 Source MAC Address > > When using a firewall that does NAT or PAT does the original MAC address get > preserved in the packet or is the firewall MAC address substituted? > > > > ____________________________________________________________________ > List archives: > http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ > To unsubscribe: send email to: [EMAIL PROTECTED] > ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED]
