Discussion:
[pmacct-discussion] Juniper IPFIX (as_src)
Andrey Koblyuk
2018-02-28 11:10:58 UTC
Permalink
Hi All!

nfacctd 1.7.0 config:

nfacctd_port: 2205
nfacctd_time_new: true
nfacctd_account_options: true
nfacctd_as: bgp
bgp_daemon: true
bgp_daemon_ip: X.X.X.X

plugins: print[data]

aggregate[data]: src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
print_output[data]: json
print_output_file[data]: /storage/test.txt
print_output_file_append[data]: false

Log bgp:
INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS: MYASNUM HoldTime: 90


For any traffic that has src_host or dst_host from my AS (MYASNUM) the as_src or as_dst field is equal to "0". Here are a few lines from the file test.txt:

{"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546, "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src": 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
{"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755, "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET", "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes": 1034}

as far as I understood by parsing test.txt - this value is assigned to all the routes received from route-reflector with type "internal".
Is it possible to tell the "aggregate[data]" to use instead of "0" the value obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
--
ANK32-RIPE
Paolo Lucente
2018-03-01 11:05:03 UTC
Permalink
Hi Andrey,

That is because you are establishing an iBGP session. You have two
possible alternatives: 1) establish an eBGP session by specifying an ASN
different than your own via bgp_daemon_as or 2) compose a networks_file
with your own prefixes where you specify which ASN to assign them to
(this is in general the solution to go when you have 3rd parties on your
own IP address space and want to reckon them differently):

nfacctd_net: fallback
nfacctd_as: fallback
networks_file: /path/to/networks.lst
networks_file_no_lpm: true

Then in networks.lst:

65500,192.168.1.0/24
65501,192.168.2.0/25
65502,192.168.4.0/23

Paolo
Post by Andrey Koblyuk
Hi All!
nfacctd_port: 2205
nfacctd_time_new: true
nfacctd_account_options: true
nfacctd_as: bgp
bgp_daemon: true
bgp_daemon_ip: X.X.X.X
plugins: print[data]
aggregate[data]: src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
print_output[data]: json
print_output_file[data]: /storage/test.txt
print_output_file_append[data]: false
INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS: MYASNUM HoldTime: 90
{"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546, "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src": 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
{"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755, "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET", "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes": 1034}
as far as I understood by parsing test.txt - this value is assigned to all the routes received from route-reflector with type "internal".
Is it possible to tell the "aggregate[data]" to use instead of "0" the value obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
--
ANK32-RIPE
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Andrey Koblyuk
2018-03-01 12:21:49 UTC
Permalink
Hi, Paolo!

Thanks for your reply!

Unfortunately, the configuration you proposed is only partially suitable. yes, I was able to identify internal my networks:
{"event_type": "purge", "as_src": 50305, "as_dst": MYASN, "iface_in": 755, "iface_out": 507, "ip_src": "193.104.208.80", "ip_dst": "MY_NETWORK_FROM_NETWORK_FILE", skip}

but, I began to have records of the following view
{"event_type": "purge", "as_src": 8870, "as_dst": 4294967295, "iface_in": 546, "iface_out": 719, "ip_src": "93.171.241.65", "ip_dst": "23.92.59.159", skip}
maybe juniper could not for some reasons determine AS and set in flow to 4294967295.

Change config to (without networks_file)

nfacctd_as: bgp
nfacctd_peer_as : bgp
bgp_stdcomm_pattern_to_asn: MYASN:MYASN

and tag all internal routes in my RR by community MYASN:MYASN. By this I was able to remove the data with "as_dst": 0 for my networks, and "as_dst": 4294967295.
And this configuration is allowed to determine the correct AS to customers, which is built BGP peering and collect flow for transit traffic from them.

There are also a question -
First "Purging cache" may occur earlier than BGP thread received all info from speaker. Can i delay first "Purging cache" before BGP exchange is not complete?
Post by Paolo Lucente
Hi Andrey,
That is because you are establishing an iBGP session. You have two
possible alternatives: 1) establish an eBGP session by specifying an ASN
different than your own via bgp_daemon_as or 2) compose a networks_file
with your own prefixes where you specify which ASN to assign them to
(this is in general the solution to go when you have 3rd parties on your
nfacctd_net: fallback
nfacctd_as: fallback
networks_file: /path/to/networks.lst
networks_file_no_lpm: true
65500,192.168.1.0/24
65501,192.168.2.0/25
65502,192.168.4.0/23
Paolo
Post by Andrey Koblyuk
Hi All!
nfacctd_port: 2205
nfacctd_time_new: true
nfacctd_account_options: true
nfacctd_as: bgp
bgp_daemon: true
bgp_daemon_ip: X.X.X.X
plugins: print[data]
aggregate[data]: src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
print_output[data]: json
print_output_file[data]: /storage/test.txt
print_output_file_append[data]: false
INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS: MYASNUM HoldTime: 90
{"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546, "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src": 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
{"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755, "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET", "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes": 1034}
as far as I understood by parsing test.txt - this value is assigned to all the routes received from route-reflector with type "internal".
Is it possible to tell the "aggregate[data]" to use instead of "0" the value obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
--
ANK32-RIPE
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
--
ANK32-RIPE
Paolo Lucente
2018-03-03 15:58:14 UTC
Permalink
Hi Andrey,

Nice solution using bgp_stdcomm_pattern_to_asn to fit the bill, thanks
for your feedback.

Paolo
Post by Andrey Koblyuk
Hi, Paolo!
Thanks for your reply!
{"event_type": "purge", "as_src": 50305, "as_dst": MYASN, "iface_in": 755, "iface_out": 507, "ip_src": "193.104.208.80", "ip_dst": "MY_NETWORK_FROM_NETWORK_FILE", skip}
but, I began to have records of the following view
{"event_type": "purge", "as_src": 8870, "as_dst": 4294967295, "iface_in": 546, "iface_out": 719, "ip_src": "93.171.241.65", "ip_dst": "23.92.59.159", skip}
maybe juniper could not for some reasons determine AS and set in flow to 4294967295.
Change config to (without networks_file)
nfacctd_as: bgp
nfacctd_peer_as : bgp
bgp_stdcomm_pattern_to_asn: MYASN:MYASN
and tag all internal routes in my RR by community MYASN:MYASN. By this I was able to remove the data with "as_dst": 0 for my networks, and "as_dst": 4294967295.
And this configuration is allowed to determine the correct AS to customers, which is built BGP peering and collect flow for transit traffic from them.
There are also a question -
First "Purging cache" may occur earlier than BGP thread received all info from speaker. Can i delay first "Purging cache" before BGP exchange is not complete?
Post by Paolo Lucente
Hi Andrey,
That is because you are establishing an iBGP session. You have two
possible alternatives: 1) establish an eBGP session by specifying an ASN
different than your own via bgp_daemon_as or 2) compose a networks_file
with your own prefixes where you specify which ASN to assign them to
(this is in general the solution to go when you have 3rd parties on your
nfacctd_net: fallback
nfacctd_as: fallback
networks_file: /path/to/networks.lst
networks_file_no_lpm: true
65500,192.168.1.0/24
65501,192.168.2.0/25
65502,192.168.4.0/23
Paolo
Post by Andrey Koblyuk
Hi All!
nfacctd_port: 2205
nfacctd_time_new: true
nfacctd_account_options: true
nfacctd_as: bgp
bgp_daemon: true
bgp_daemon_ip: X.X.X.X
plugins: print[data]
aggregate[data]: src_host,dst_host,src_port,dst_port,proto,src_as,dst_as,in_iface,out_iface
print_output[data]: json
print_output_file[data]: /storage/test.txt
print_output_file_append[data]: false
INFO ( default/core/BGP ): [Y.Y.Y.Y] BGP_OPEN: Local AS: MYASNUM Remote AS: MYASNUM HoldTime: 90
{"event_type": "purge", "as_src": 0, "as_dst": 15169, "iface_in": 546, "iface_out": 755, "ip_src": "MY_AS_NET", "ip_dst": "8.8.8.8", "port_src": 51858, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 86}
{"event_type": "purge", "as_src": 26415, "as_dst": 0, "iface_in": 755, "iface_out": 507, "ip_src": "192.33.14.30", "ip_dst": "MY_AS_NET", "port_src": 53, "port_dst": 37118, "ip_proto": "udp", "packets": 1, "bytes": 1034}
as far as I understood by parsing test.txt - this value is assigned to all the routes received from route-reflector with type "internal".
Is it possible to tell the "aggregate[data]" to use instead of "0" the value obtained with BGP_OPEN from the field "Local AS" or "Remote AS"?
--
ANK32-RIPE
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
--
ANK32-RIPE
Loading...