Good Morning,

I’m facing a problem with pmacctd trying to use bgp_peer_src_as_map directive 
to populate accordingly the peer_src_as field. Our setup is quite simple:

- The collector (running pmacctd) sees traffic subject to analysis on two 
interfaces
- Every link lives in its own vlan
- One link has multiple peers in it (it’s an IXP)

This is the current configuration:

## pmacct.conf ##
daemonize: false
pcap_interfaces_map: /opt/pmacct/etc/pcap_interfaces.map
pcap_ifindex: map
plugins: memory[in]
aggregate[in]: src_as, peer_src_as
imt_buckets: 65537
imt_mem_pools_size: 65535
imt_mem_pools_number: 1048576
plugin_buffer_size: 1048576
plugin_pipe_size: 134217728
bgp_daemon: true
pmacctd_as: bgp
bgp_agent_map: /opt/pmacct/etc/bgp_agent.map
bgp_peer_src_as_map: /opt/pmacct/etc/bgp_peers.map
bgp_peer_src_as_type: map


## pcap_interfaces.map ##
ifname=enp1s0f0 ifindex=100
ifname=enp1s0f1 ifindex=200

## bgp_agent.map ##
bgp_ip=W.X.Y.Z     ip=0.0.0.0/0 ! W.X.Y.Z is peer’s router id

## bgp_peers.map ##
id=XXXXX ip=0.0.0.0/0 src_mac=xx:xx:xx:xx:xx:xx
id=YYYYY ip=0.0.0.0/0 src_mac=yy:yy:yy:yy:yy:yy
id=ZZZZZ ip=0.0.0.0/0 src_mac=zz:zz:zz:zz:zz:zz

Obviously macs and asns are hidden to protect the innocents (!)

When I start the daemon, it comes up correctly without giving any 
warning/error, but peer_src_as gets always populated with the first entry on 
the relevant map (in this case, XXXXX).
Now I’m wondering, is this configuration supported ? Or maybe src_mac is 
supposed to be used only with nfacctd and sfacctd ?

To overcome the problem I can easily span multiple pmacctd daemons, each one 
with the relevant pcap_filter directive, then collect data separately (which is 
not an issue since the memory plugin is just for debugging purposes, the plan 
is of course is to send everything to influx and/or elasticsearch for further 
analysis)…but this seems rather hackish to me.

Thanks!


-- 
Simone Ricci




_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to