Hello everyone,
I am having a bit of a problem with collecting flow from Cisco CGSE module
in CRS-3. It's just a test but I would be very grateful for any help
provided, be it from developers or guys and gals who use nfdump with Cisco
CGN stuff. I have nfdump compiled with following options:
./configure --enable-nfprofile --enable-nftrack --enable-sflow --enable-nel
--enable-nsel
I run CGSE NAT44 setup with "bulk-port-alloc size 256", which seems to be
the most sensible option in order to limit size of netflow log. I enclosed
config for reference, the most basic setting possible.
service cgn test
service-location preferred-active 0/3/CPU0
service-type nat44 nat1
portlimit 1024
inside-vrf sbb-cgse-test
map address-pool x.x.x.x/x
external-logging netflow version 9
server
address y.y.y.y port 10000
bulk-port-alloc 256
When I run collector with output to stdout, I receive fairly useful data,
where I can identify what the NAT creation and deletion is by looking at
"pblock start/end". However when the data gets written to a file, I seem to
lose pblock data which makes it unusable to me.
Apparently part of the problem with missing data is the fact that CGSE does
not send data that defines the NAT event (check templete format below for
CGSE), however its strange that -E output does not get written to files
identically as it is.
NetFlow Record Format:
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgnat51log.html#wp1085003
For example I see no date/time for the flow records, beside received at (so
so ok), and nat event also comes blank (apparently not defined in template,
see link above).
nfcapd -E -T all -w -B 200000 -l /root/netflow-test/ -p 10000
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 100
first = 0 [1970-01-01 01:00:00]
last = 0 [1970-01-01 01:00:00]
msec_first = 0
msec_last = 0
src addr = 10.0.0.11
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0 0
(src)tos = 0
(in)packets = 0
(in)bytes = 0
ip router = z.z.z.z
engine type = 209
engine ID = 51
received at = 1410355577961 [2014-09-10 15:26:17.961]
src xlt ip = a.a.a.a
dst xlt ip = 0.0.0.0
nat event = 0: INVALID
ingress VRF = 1610612738
egress VRF = 1610612736
pblock start = 13824
pblock end = 14079
pblock step = 0
pblock size = 0
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 92
first = 0 [1970-01-01 01:00:00]
last = 0 [1970-01-01 01:00:00]
msec_first = 0
msec_last = 0
src addr = 10.0.0.11
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0 0
(src)tos = 0
(in)packets = 0
(in)bytes = 0
ip router = z.z.z.z
engine type = 209
engine ID = 51
received at = 1410355781961 [2014-09-10 15:29:41.961]
nat event = 0: INVALID
ingress VRF = 1610612738
egress VRF = 0
pblock start = 13824
pblock end = 0
pblock step = 0
pblock size = 0
-------------------
When written to file it looks like this:
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 100
first = 0 [1970-01-01 01:00:00]
last = 0 [1970-01-01 01:00:00]
msec_first = 0
msec_last = 0
src addr = 10.0.0.11
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0 0
(src)tos = 0
(in)packets = 0
(in)bytes = 0
ip router = z.z.z.z
engine type = 209
engine ID = 51
received at = 1410355577961 [2014-09-10 15:26:17.961]
src xlt ip = a.a.a.a
dst xlt ip = 0.0.0.0
nat event = 0: INVALID
ingress VRF = 1610612738
egress VRF = 1610612736
pblock start = 13824
pblock end = 14079
pblock step = 0
pblock size = 0
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 92
first = 0 [1970-01-01 01:00:00]
last = 0 [1970-01-01 01:00:00]
msec_first = 0
msec_last = 0
src addr = 10.0.0.11
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0 0
(src)tos = 0
(in)packets = 0
(in)bytes = 0
ip router = z.z.z.z
engine type = 209
engine ID = 51
received at = 1410355781961 [2014-09-10 15:29:41.961]
nat event = 0: INVALID
ingress VRF = 1610612738
egress VRF = 0
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
