Hi, Paolo!
Thanks for your reply!
Unfortunately, the configuration you proposed is only partially suitable. yes,
I was able to identify internal my networks:
{"event_type": "purge", "as_src": 50305, "as_dst": MYASN, "iface_in": 755,
"iface_out": 507, "ip_src": "193.104.208.80", "ip_dst":
"MY_NETWORK_FROM_NETWORK_FILE", skip}
but, I began to have records of the following view
{"event_type": "purge", "as_src": 8870, "as_dst": 4294967295, "iface_in": 546,
"iface_out": 719, "ip_src": "93.171.241.65", "ip_dst": "23.92.59.159", skip}
maybe juniper could not for some reasons determine AS and set in flow to
4294967295.
Change config to (without networks_file)
nfacctd_as: bgp
nfacctd_peer_as : bgp
bgp_stdcomm_pattern_to_asn: MYASN:MYASN
and tag all internal routes in my RR by community MYASN:MYASN. By this I was
able to remove the data with "as_dst": 0 for my networks, and "as_dst":
4294967295.
And this configuration is allowed to determine the correct AS to customers,
which is built BGP peering and collect flow for transit traffic from them.
There are also a question -
First "Purging cache" may occur earlier than BGP thread received all info from
speaker. Can i delay first "Purging cache" before BGP exchange is not complete?
> Hi Andrey,
> That is because you are establishing an iBGP session. You have two
> possible alternatives: 1) establish an eBGP session by specifying an ASN
> different than your own via bgp_daemon_as or 2) compose a networks_file
> with your own prefixes where you specify which ASN to assign them to
> (this is in general the solution to go when you have 3rd parties on your
> own IP address space and want to reckon them differently):
> nfacctd_net: fallback
> nfacctd_as: fallback
> networks_file: /path/to/networks.lst
> networks_file_no_lpm: true
> Then in networks.lst:
> 65500,192.168.1.0/24
> 65501,192.168.2.0/25
> 65502,192.168.4.0/23
> Paolo
>
> On Wed, Feb 28, 2018 at 01:10:58PM +0200, Andrey Koblyuk wrote:
>> Hi All!
>> nfacctd 1.7.0 config:
>> nfacctd_port: 2205
>> nfacctd_time_new: true
>> nfacctd_account_options: true
>> nfacctd_as: bgp
>> bgp_daemon: true
>> bgp_daemon_ip: X.X.X.X
>> plugins: print[data]
>> aggregate[data]:
>> src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
>> print_output[data]: json
>> print_output_file[data]: /storage/test.txt
>> print_output_file_append[data]: false
>> Log bgp:
>> INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS:
>> MYASNUM HoldTime: 90
>> For any traffic that has src_host or dst_host from my AS (MYASNUM) the
>> as_src or as_dst field is equal to "0". Here are a few lines from the file
>> test.txt:
>> {"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546,
>> "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src":
>> 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
>> {"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755,
>> "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET",
>> "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes":
>> 1034}
>> as far as I understood by parsing test.txt - this value is assigned to all
>> the routes received from route-reflector with type "internal".
>> Is it possible to tell the "aggregate[data]" to use instead of "0" the value
>> obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
>> --
>> ANK32-RIPE
>> _______________________________________________
>> pmacct-discussion mailing list
>> http://www.pmacct.net/#mailinglists
--
ANK32-RIPE
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
