On Tue 23 May 2006 16:23, Sven Anderson wrote: > Hi Peter, > > Peter Nixon, 23.05.2006 09:52: > > I already have a configuration almost identical to yours. As I mentioned > > below, I am happily getting data from the external interface also however > > the flows are all hidden by the single nat overload which means I have no > > way to associate them with the traffic on the internal interface. > > > > Does anyone have a way to resolve this? I figure that there must be a way > > to get around this problem by using a loopback interface but as yet I > > haven't figured out the correct configuration. > > maybe this is a terminology problem. So first I will state some things, > which are probably already clear: 1. A flow always has _one_ direction. > So if you look at a TCP connection on whatever interface, you will get two > flows for that connection. 2. On each interface you can meter both the > ingress and egress traffic, that is the traffic leaving and entering the > router. If your router has only two active interfaces, you will meter on > both interfaces almost the same amount of traffic (beside the traffic > directly to/from the router, like webinterface/netflow...). > > So, if you want to see the packets on the inner side of the NAT process, > it makes no sense to meter on the external interface. Just meter on the > internal interface and you should be fine.
This is not what I am seeing on my system nor what cisco says at: http://www.cisco.com/application/pdf/en/us/guest/products/ps6601/c1244/cdccont_0900aecd8045b422.pdf "Since both the ping and the Telnet session were part of a two-way flow of traffic, we might expect four NetFlow records, rather than two. For each traffic type, one flow represents traffic on the way out; another flow represents traffic on the way back. However, with one exception to be discussed later, NetFlow only track flows on the physical ingress port, not the egress port. In this example, NetFlow had been disabled intentionally on interface Fa4/0, so that this issue could be illustrated. In order to track the two-way nature of IP traffic flows, it is necessary to enable NetFlow on all interfaces of a router." I also found: http://kb.flukenetworks.com/display_results.asp?sid=2&p=/reporteranalyzer/netflow_commands_for_cisco_routers.htm "Upgrading the router to Cisco's release of NetFlow Egress on IOS 12.3(11)T provides post-NAT NetFlow statistics, giving accurate NetFlow data for NAT traffic." > If you want to do something exotic, like recording which port-translation > is done by the NAT process, either the metering has to be done by the NAT > process itself, or the packets have to be tagged and metered on both > interfaces, so that you can export two flows, which are linked somehow, > for example with a FlowID. But if at all, this is only possible with > Netflow v9 or IPFIX. I am using Netflow 9. I am going to try to upgrade my IOS and see if that helps. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
pgpLaejCmU6gj.pgp
Description: PGP signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
