Hi,
I’m using sfacctd, and nfacctd to collect/digest flows, but I’m having two
issues with IPFIX 315 being exported by Cisco NCSs on my lab environment.
=======================================================================================================================
1. The router is sending sampling rate template, but nfacctd is unable to
detect it:
Cisco NetFlow/IPFIX
Version: 10
Length: 140
Timestamp: Jul 27, 2023 21:23:32.000000000 CEST
ExportTime: 1690485812
FlowSequence: 4603756
Observation Domain Id: 4096
Set 1 [id=257] (1 flows)
FlowSet Id: (Data) (257)
FlowSet Length: 124
[Template Frame: 3]
Flow 1
Selector Id: 1
Sampling Packet Interval: 32000
Selector Algorithm: Random n-out-of-N Sampling (3)
Sampling Size: 1
Sampling Population: 32000
SamplerName: ipfix_sm
Selector Name: ipfix_sm
String_len_short: 8
Padding: 000000
Seems that nfacctd understand the template:
DEBUG ( default/core ): Received NetFlow/IPFIX packet from
[192.168.245.145:21660] version [10] seqno [4621414]
DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from
[192.168.245.145:21660] seqno [4621414]
DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096
DEBUG ( default/core ): NfV10 template type : options
DEBUG ( default/core ): NfV10 template ID : 338
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): | pen | field type | offset |
size |
DEBUG ( default/core ): | 0 | 149 [149 ] | 0 |
4 |
DEBUG ( default/core ): | 0 | 160 [160 ] | 4 |
8 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 12
DEBUG ( default/core ):
DEBUG ( default/core ): Received NetFlow/IPFIX packet from
[192.168.245.145:21660] version [10] seqno [4621414]
DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [338] from
[192.168.245.145:21660] seqno [4621414]
DEBUG ( default/core ): Received NetFlow/IPFIX packet from
[192.168.245.145:21660] version [10] seqno [4621415]
DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from
[192.168.245.145:21660] seqno [4621415]
DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096
DEBUG ( default/core ): NfV10 template type : options
DEBUG ( default/core ): NfV10 template ID : 257
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): | pen | field type | offset |
size |
DEBUG ( default/core ): | 0 | 302 [302 ] | 0 |
4 |
DEBUG ( default/core ): | 0 | 305 [305 ] | 4 |
4 |
DEBUG ( default/core ): | 0 | 304 [304 ] | 8 |
2 |
DEBUG ( default/core ): | 0 | 309 [309 ] | 10 |
4 |
DEBUG ( default/core ): | 0 | 310 [310 ] | 14 |
4 |
DEBUG ( default/core ): | 0 | sampler name [84 ] | 18 |
90 |
DEBUG ( default/core ): | 0 | 335 [335 ] | 108 |
65535 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 107
DEBUG ( default/core ):
DEBUG ( default/core ): Received NetFlow/IPFIX packet from
[192.168.245.145:21660] version [10] seqno [4621415]
DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [257] from
[192.168.245.145:21660] seqno [4621415]
DEBUG ( default/core ): Received NetFlow/IPFIX packet from
[172.31.31.162:63625] version [10] seqno [2092073163]
DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [335] from
[172.31.31.162:63625] seqno [2092073163]
But when printing the data, seems that sampling_rate is not being detected:
{"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst":
"78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800",
"peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0,
"stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0,
"bytes": 0}
I have configured nfacctd_renormalize to true, and the same configuration
pattern works for sflow. Can you please help me with that? Am I missing
something?
=======================================================================================================================
2. I have few l2transports using 2 qtags, and I do see it in the pcap:
Flow 4
InputInt: 15
OutputInt: 5
Data Link Frame Size: 106
Data Link Frame Section:
7800044c5ee76800042e0ba6810003f4810000640800450004ce04d200007f06dc7cc612…
Ethernet II, Src: 68:00:04:2e:0b:a6 (68:00:04:2e:0b:a6), Dst:
78:00:04:4c:5e:e7 (78:00:04:4c:5e:e7)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1012
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
Internet Protocol Version 4, Src: 198.18.101.91, Dst: 198.18.100.91
Transmission Control Protocol, Src Port: 48482, Dst Port: 80, Seq:
129018, Len: 44
String_len_short: 106
But I’m unable to get vlan_out:
{"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst":
"78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800",
"peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0,
"stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0,
"bytes": 0}
Interface config:
interface Bundle-Ether1.1012 l2transport
encapsulation dot1q 1012 second-dot1q 100
rewrite ingress tag pop 2 symmetric
flow datalinkframesection monitor ipfix_mon sampler ipfix_sm ingress
!
IPFIX config:
flow exporter-map ipfix_exp
version ipfix
options sampler-table
template options timeout 30
!
dscp 40
transport udp 2100
source MgmtEth0/RP0/CPU0/0
destination 192.168.245.240
!
flow monitor-map ipfix_mon
record datalinksectiondump
exporter ipfix_exp
cache immediate
cache entries 1000000
cache timeout rate-limit 1000000
!
sampler-map ipfix_sm
random 1 out-of 32000
Can you please help me with that too? Also, similar setup works for sflow.
=======================================================================================================================
# nfacctd -V
NetFlow Accounting Daemon, nfacctd 1.7.8-git [20221231-1 (723b0cb2)]
Thanks in advance for any inputs.
--
(Atenciosamente|Best regards|Cordiali Saluti|Vriendelijke groeten),
Tiago Felipe Gonçalves
PGP Fingerprint - A2:82:BD:48:EE:8D:C4:99:C2:4E:81:D4:C4:7B:1C:2E:C7:F3:04:C9
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
