We're trying to use nfacctd version 1.5.0rc2 to classify groups of traffic based on ip ranges within our network. We have Juniper routers configured with inline jflow. During a consistentcy test we discovered some traffic was missing.
In the example below we list all our networks in a filter. We tag 612
or 613 for inbound traffic, and tag 712 or 713 for outbound traffic. We
see that traffic within our address block gets tagged with 901 or 902.
This traffic either originates from or is destined to the listed blocks.
Are there any reason why the filter shouldn't match this traffic?
We also use nfacctd for replication in transparent mode in front of
this instance.
Our nfacctd.conf:
nfacctd_port: 2102
nfacctd_ip: 0.0.0.0
nfacctd_time_new: true
plugin_buffer_size: 10240
plugin_pipe_size: 1024000
pre_tag_map: pretag.conf
plugins: print[dummy]
pre_tag_filter[dummy]: 900-1000
print_refresh_time[dummy]: 10
aggregate[dummy]: tag,in_iface,out_iface,src_host,dst_host,src_as,dst_as
Our pretag.conf:
set_tag=612 ip=192.0.2.12 filter='dst net 198.51.100.0/24 or dst net
203.0.113.0/24 or dst net 192.0.2.0/24'
set_tag=712 ip=192.0.2.12 filter='src net 198.51.100.0/24 or src net
203.0.113.0/24 or src net 192.0.2.0/24'
set_tag=613 ip=192.0.2.13 filter='dst net 198.51.100.0/24 or dst net
203.0.113.0/24 or dst net 192.0.2.0/24'
set_tag=713 ip=192.0.2.13 filter='src net 198.51.100.0/24 or src net
203.0.113.0/24 or src net 192.0.2.0/24'
set_tag=901 ip=192.0.2.12
set_tag=902 ip=192.0.2.13
set_tag=999 ip=0.0.0.0/0
--
Kind regards,
Martin Topholm
pgpPBZdmdTNqi.pgp
Description: PGP signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
