Hi Paolo, No we currently don’t have prefixes as part of our aggregation. networks_file_filter is also not specified in the config.
Adding 'nfacctd_net: fallback' changes the behaviour to be even weirder… Some (not all) flows are now marked with the correct AS, but only as_dst is updated - we still see lots of iBGP prefix flows with as_src as 0. eBGP prefix flows are no longer set to AS0 with 'nfacctd_net: fallback' however. Config as follows; ## nfacctd.conf ## ! Global daemon daemonize: true syslog: daemon ! BGP daemon !bgp_daemon: true !bgp_daemon_max_peers: 2 !bgp_aspath_radius: 3 !bgp_daemon_md5_file: /opt/pmacct/etc/bgp_md5.lst ! Temporarily pull in iBGP networks data from file until BGP is up networks_file: /opt/pmacct/etc/networks.lst nfacctd_as_new: fallback nfacctd_net: fallback ! Netflow input plugin nfacctd_port: 2055 nfacctd_disable_checks: true ! AMQP output daemon amqp_host: localhost amqp_user: pmacct amqp_passwd: xxxx amqp_vhost: /pmacct amqp_exchange: pmacct amqp_persistent_msg: true ! Plugin definitions plugins: amqp[elk_1min] ! 1 minutely aggregates into ELK via amqp aggregate[elk_1min]: src_as, dst_as, src_host, dst_host, src_port, dst_port, proto amqp_routing_key[elk_1min]: acct amqp_history[elk_1min]: 1m amqp_time_roundoff[elk_1min]: m amqp_refresh_time[elk_1min]: 60 ## networks.lst ## 62212,185.43.216.0/22 -Rob > On 23 May 2015, at 10:00, Paolo Lucente <[email protected]> wrote: > > Hi Rob, > > To confirm that: what you are verifying is not the intended behaviour & > what you describe as your understanding is the intended behaviour instead. > > It would help to know if you have prefixes as part of your aggregation; > if yes, whether they are also zeroed out if not in the networks_file or > not. Meanwhile two tests: > > * add 'nfacctd_net: fallback' to your config > * make sure 'networks_file_filter: true' is not set in your config > > If none of this helps out, can you please post (here or privately) your > config so that i can try to reproduce this in lab? > > Cheers, > Paolo > > On Fri, May 22, 2015 at 09:09:30PM +0100, Rob Greenwood wrote: >> Hi, >> >> We’ve got nfacctd running, collecting IPFIX data from a number of Juniper MX >> routers and exporting it into ElasticSearch successfully. >> >> Our iBGP prefixes have their AS in the netflow data as AS0. I’m trying to >> override this by placing our prefixes into a networks.lst, and specifying >> the following config: >> >> networks_file: /opt/pmacct/etc/networks.lst >> nfacctd_as_new: fallback >> >>> From reading the documentation, this should allow me to override prefix >>> ASNs from within the networks.lst, but would then fall back to pulling the >>> ASN from netflow if the prefix doesn’t exist in network.ls. >> >> However, the behaviour I’m seeing is that the ASN for my prefixes is being >> set correctly, but now every other non-matching network is set to AS0. >> >> Is this intended behaviour? >> >> -Rob >> >> >> -- >> DataCentred Limited registered in England and Wales no. 05611763 > > >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists -- DataCentred Limited registered in England and Wales no. 05611763
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
