Re: [pmacct-discussion] Juniper IPFIX (as_src)
Hi Andrey,
Nice solution using bgp_stdcomm_pattern_to_asn to fit the bill, thanks
for your feedback.
Paolo
On Thu, Mar 01, 2018 at 02:21:49PM +0200, Andrey Koblyuk wrote:
> Hi, Paolo!
>
> Thanks for your reply!
>
> Unfortunately, the configuration you proposed is only partially suitable.
> yes, I was able to identify internal my networks:
> {"event_type": "purge", "as_src": 50305, "as_dst": MYASN, "iface_in": 755,
> "iface_out": 507, "ip_src": "193.104.208.80", "ip_dst":
> "MY_NETWORK_FROM_NETWORK_FILE", skip}
>
> but, I began to have records of the following view
> {"event_type": "purge", "as_src": 8870, "as_dst": 4294967295, "iface_in":
> 546, "iface_out": 719, "ip_src": "93.171.241.65", "ip_dst": "23.92.59.159",
> skip}
> maybe juniper could not for some reasons determine AS and set in flow to
> 4294967295.
>
> Change config to (without networks_file)
>
> nfacctd_as: bgp
> nfacctd_peer_as : bgp
> bgp_stdcomm_pattern_to_asn: MYASN:MYASN
>
> and tag all internal routes in my RR by community MYASN:MYASN. By this I was
> able to remove the data with "as_dst": 0 for my networks, and "as_dst":
> 4294967295.
> And this configuration is allowed to determine the correct AS to customers,
> which is built BGP peering and collect flow for transit traffic from them.
>
> There are also a question -
> First "Purging cache" may occur earlier than BGP thread received all info
> from speaker. Can i delay first "Purging cache" before BGP exchange is not
> complete?
>
> > Hi Andrey,
>
> > That is because you are establishing an iBGP session. You have two
> > possible alternatives: 1) establish an eBGP session by specifying an ASN
> > different than your own via bgp_daemon_as or 2) compose a networks_file
> > with your own prefixes where you specify which ASN to assign them to
> > (this is in general the solution to go when you have 3rd parties on your
> > own IP address space and want to reckon them differently):
>
> > nfacctd_net: fallback
> > nfacctd_as: fallback
> > networks_file: /path/to/networks.lst
> > networks_file_no_lpm: true
>
> > Then in networks.lst:
>
> > 65500,192.168.1.0/24
> > 65501,192.168.2.0/25
> > 65502,192.168.4.0/23
>
> > Paolo
> >
> > On Wed, Feb 28, 2018 at 01:10:58PM +0200, Andrey Koblyuk wrote:
> >> Hi All!
>
> >> nfacctd 1.7.0 config:
>
> >> nfacctd_port: 2205
> >> nfacctd_time_new: true
> >> nfacctd_account_options: true
> >> nfacctd_as: bgp
> >> bgp_daemon: true
> >> bgp_daemon_ip: X.X.X.X
>
> >> plugins: print[data]
>
> >> aggregate[data]:
> >> src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
> >> print_output[data]: json
> >> print_output_file[data]: /storage/test.txt
> >> print_output_file_append[data]: false
>
> >> Log bgp:
> >> INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote
> >> AS: MYASNUM HoldTime: 90
>
>
> >> For any traffic that has src_host or dst_host from my AS (MYASNUM) the
> >> as_src or as_dst field is equal to "0". Here are a few lines from the file
> >> test.txt:
>
> >> {"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546,
> >> "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src":
> >> 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
> >> {"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755,
> >> "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET",
> >> "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1,
> >> "bytes": 1034}
>
> >> as far as I understood by parsing test.txt - this value is assigned to all
> >> the routes received from route-reflector with type "internal".
> >> Is it possible to tell the "aggregate[data]" to use instead of "0" the
> >> value obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
>
>
> >> --
> >> ANK32-RIPE
>
>
> >> ___
> >> pmacct-discussion mailing list
> >> http://www.pmacct.net/#mailinglists
>
>
>
> --
> ANK32-RIPE
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Juniper IPFIX (as_src)
Hi, Paolo!
Thanks for your reply!
Unfortunately, the configuration you proposed is only partially suitable. yes,
I was able to identify internal my networks:
{"event_type": "purge", "as_src": 50305, "as_dst": MYASN, "iface_in": 755,
"iface_out": 507, "ip_src": "193.104.208.80", "ip_dst":
"MY_NETWORK_FROM_NETWORK_FILE", skip}
but, I began to have records of the following view
{"event_type": "purge", "as_src": 8870, "as_dst": 4294967295, "iface_in": 546,
"iface_out": 719, "ip_src": "93.171.241.65", "ip_dst": "23.92.59.159", skip}
maybe juniper could not for some reasons determine AS and set in flow to
4294967295.
Change config to (without networks_file)
nfacctd_as: bgp
nfacctd_peer_as : bgp
bgp_stdcomm_pattern_to_asn: MYASN:MYASN
and tag all internal routes in my RR by community MYASN:MYASN. By this I was
able to remove the data with "as_dst": 0 for my networks, and "as_dst":
4294967295.
And this configuration is allowed to determine the correct AS to customers,
which is built BGP peering and collect flow for transit traffic from them.
There are also a question -
First "Purging cache" may occur earlier than BGP thread received all info from
speaker. Can i delay first "Purging cache" before BGP exchange is not complete?
> Hi Andrey,
> That is because you are establishing an iBGP session. You have two
> possible alternatives: 1) establish an eBGP session by specifying an ASN
> different than your own via bgp_daemon_as or 2) compose a networks_file
> with your own prefixes where you specify which ASN to assign them to
> (this is in general the solution to go when you have 3rd parties on your
> own IP address space and want to reckon them differently):
> nfacctd_net: fallback
> nfacctd_as: fallback
> networks_file: /path/to/networks.lst
> networks_file_no_lpm: true
> Then in networks.lst:
> 65500,192.168.1.0/24
> 65501,192.168.2.0/25
> 65502,192.168.4.0/23
> Paolo
>
> On Wed, Feb 28, 2018 at 01:10:58PM +0200, Andrey Koblyuk wrote:
>> Hi All!
>> nfacctd 1.7.0 config:
>> nfacctd_port: 2205
>> nfacctd_time_new: true
>> nfacctd_account_options: true
>> nfacctd_as: bgp
>> bgp_daemon: true
>> bgp_daemon_ip: X.X.X.X
>> plugins: print[data]
>> aggregate[data]:
>> src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
>> print_output[data]: json
>> print_output_file[data]: /storage/test.txt
>> print_output_file_append[data]: false
>> Log bgp:
>> INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS:
>> MYASNUM HoldTime: 90
>> For any traffic that has src_host or dst_host from my AS (MYASNUM) the
>> as_src or as_dst field is equal to "0". Here are a few lines from the file
>> test.txt:
>> {"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546,
>> "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src":
>> 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
>> {"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755,
>> "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET",
>> "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes":
>> 1034}
>> as far as I understood by parsing test.txt - this value is assigned to all
>> the routes received from route-reflector with type "internal".
>> Is it possible to tell the "aggregate[data]" to use instead of "0" the value
>> obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
>> --
>> ANK32-RIPE
>> ___
>> pmacct-discussion mailing list
>> http://www.pmacct.net/#mailinglists
--
ANK32-RIPE
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Juniper IPFIX (as_src)
Hi Andrey,
That is because you are establishing an iBGP session. You have two
possible alternatives: 1) establish an eBGP session by specifying an ASN
different than your own via bgp_daemon_as or 2) compose a networks_file
with your own prefixes where you specify which ASN to assign them to
(this is in general the solution to go when you have 3rd parties on your
own IP address space and want to reckon them differently):
nfacctd_net: fallback
nfacctd_as: fallback
networks_file: /path/to/networks.lst
networks_file_no_lpm: true
Then in networks.lst:
65500,192.168.1.0/24
65501,192.168.2.0/25
65502,192.168.4.0/23
Paolo
On Wed, Feb 28, 2018 at 01:10:58PM +0200, Andrey Koblyuk wrote:
> Hi All!
>
> nfacctd 1.7.0 config:
>
> nfacctd_port: 2205
> nfacctd_time_new: true
> nfacctd_account_options: true
> nfacctd_as: bgp
> bgp_daemon: true
> bgp_daemon_ip: X.X.X.X
>
> plugins: print[data]
>
> aggregate[data]:
> src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
> print_output[data]: json
> print_output_file[data]: /storage/test.txt
> print_output_file_append[data]: false
>
> Log bgp:
> INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS:
> MYASNUM HoldTime: 90
>
>
> For any traffic that has src_host or dst_host from my AS (MYASNUM) the as_src
> or as_dst field is equal to "0". Here are a few lines from the file test.txt:
>
> {"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546,
> "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src":
> 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
> {"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755,
> "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET",
> "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes":
> 1034}
>
> as far as I understood by parsing test.txt - this value is assigned to all
> the routes received from route-reflector with type "internal".
> Is it possible to tell the "aggregate[data]" to use instead of "0" the value
> obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
>
>
> --
> ANK32-RIPE
>
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
