Hi Zenon, On Tue, Oct 27, 2009 at 01:16:06PM +0200, Zenon Mousmoulas wrote:
> 1. Does bgp_peer_src_as_map apply both to src and dst AS or only the > first? In any case, I don't understand how bgp_nexthop can be used > for calculating the peer src AS, since that field applies to the > destination recorded in the flow record? As the name says, bgp_peer_src_as_map applies to the src peer AS only. bgp_nexthop check in the context of bgp_peer_src_as_map is employed to do a reverse lookup on the source IP prefix and check the bgp_nexthop (ie. where the ingress router would route to the source IP prefix) is what you expect (ie. traffic is symmetric). Makes sense? > 2. Does bgp_peer_src_as_map work with as-aggregated netflow? > Actually a broader question is if any of BGP lookup features work > when using any form of aggregated flow records where src/dst IP > address is not available. Broader question is good: correlation of NetFlow and BGP is done by looking up source and destination IP prefixes in NetFlow into the BGP RIB. If you aggregate IP addresses logically to the network boundaries - then it's still OK. If you aggregate by removing the IP layer at all and export only AS numbers, well, it will not work anymore ... but you are raising a very valid point. IHMO, it would be good to put some efforts in this direction - specifically, before even developing something general-purpose, it should be seen how much accuracy is affected by rather common de-aggregation or prefix load-balancing practices on the internet: ie. i have one AS, two /18 allocations, two upstream provider: i'll advertise a /18 here and one there. > 3. In BGP peerings it is quite common practice to advertise > "next-hop self" for a number of different, valid reasons. I am right > to assume such a practice effectively renders useless any next-hop > based lookups? iBGP or eBGP? Can you bring an example? > On an different topic: I have seen that nfacctd detects and supports > netflow v5 sampling, but I am not sure if this is also true for v9. > It may have been mentioned somewhere/discussed previously, but I > have been unable to dig it up. I am fully aware however that > detecting sampling in netflow v9 PDUs does require a lot more > work... NetFlow v9 sampling is supported as of 0.12.0rc3 (which is currently in the CVS and due to be released ... soonish). Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
