Mailing List Archive

Thanks Oli for that.

Does anyone know the 'minimal' for Netflow re: monitoring applications
etc.?

Mark

-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer@cisco.com]
Sent: 16 November 2005 11:34
To: Mark Tohill; cisco-nsp@puck.nether.net
Cc: cisco-bba@puck.nether.net
Subject: RE: [c-nsp] Static ip address info

Mark Tohill <> wrote on Wednesday, November 16, 2005 12:20 PM:

> I sent this originally to BBA List. Hope I'm not off-topic.

Cc'ing bba list
>
> We have DSL users coming in on 7204VXR's over L2TP VPDN acquiring
> static IP's, both gateways and small subnets (/29's for example).
>
> We suspect a lot of our users are not using their /29's and are
> NAT'ing etc. on their gateway addresses.
>
> Is there any relatively easy way of finding out this sort of
> information?
>
> Ideas spring to mind are ACL's, gleaning info from CEF (???), ip
> accounting....
>
> Has anyone ever come up against same problem or has an idea how this
> might work?

What are your objectives? To find out if your product is actually used
the way it is intended to, or if you might as well offer fixed /32
addresses only since most of the customers use NAT anyway?

CEF installs a /29 prefix and doesn't care or tell which addresses out
of this network has been used. IP accounting is a way, but it is
expensive. I would investigate Netflow (possibly sampled) and work from
there..

oli

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

I think this may not work in my setup.

When I enable netflow on my L2TP from Telco, I am only seeing L2TP
source and destination tunnel IP's, fair enough.

I take it I would have to set NetFlow to monitor traffic bound for
subnets to be monitored, as opposed to sourced from. i.e ingress on my
GigE port?

Had a look into sampling etc to reduce stats collection. Came up with:

!
!
int atm ATM1/0.101
ip flow ingress
!
flow-sampler-map netflow-subnet-usage-test-sampler-map
mode random one-out-of 1000

!
class-map match-any netflow-subnet-usage-test-class-map
match access-group 180
!
policy-map netflow-subnet-usage-test-policy-map
class netflow-subnet-usage-test-class-map
sampler netflow-subnet-usage-test-sampler-map
!
netflow-sampler netflow-subnet-usage-test-sampler-map
!
interface ATM1/0.101
service-policy input netflow-subnet-usage-test-policy-map
!
access-list 180 permit ip X.X.X.X 0.0.0.255 any
access-list 180 permit ip Y.Y.Y.Y 0.0.0.255 any
<and remainder of subnets to be monitored>

I still have no idea as to what to do with these stats if they are
collected on router?

Any 'viewers' out there ( I know, not likely)

Thanks
Mark

-----Original Message-----
From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk]
Sent: 16 November 2005 19:44
To: Mark Tohill
Cc: Oliver Boehmer (oboehmer); cisco-nsp@puck.nether.net;
cisco-bba@puck.nether.net
Subject: RE: [c-nsp] Static ip address info

for what you describe, either get some basic tool that will give you a
text
debug output or write something to dump the packets, then a bit of grep
and sort
and you should have the info you need :)

Steve

On Wed, 16 Nov 2005, Mark Tohill wrote:

>
> Thanks Oli for that.
>
> Does anyone know the 'minimal' for Netflow re: monitoring applications
> etc.?
>
> Mark
>
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) [mailto:oboehmer@cisco.com]
> Sent: 16 November 2005 11:34
> To: Mark Tohill; cisco-nsp@puck.nether.net
> Cc: cisco-bba@puck.nether.net
> Subject: RE: [c-nsp] Static ip address info
>
> Mark Tohill <> wrote on Wednesday, November 16, 2005 12:20 PM:
>
> > I sent this originally to BBA List. Hope I'm not off-topic.
>
> Cc'ing bba list
> >
> > We have DSL users coming in on 7204VXR's over L2TP VPDN acquiring
> > static IP's, both gateways and small subnets (/29's for example).
> >
> > We suspect a lot of our users are not using their /29's and are
> > NAT'ing etc. on their gateway addresses.
> >
> > Is there any relatively easy way of finding out this sort of
> > information?
> >
> > Ideas spring to mind are ACL's, gleaning info from CEF (???), ip
> > accounting....
> >
> > Has anyone ever come up against same problem or has an idea how this
> > might work?
>
> What are your objectives? To find out if your product is actually used
> the way it is intended to, or if you might as well offer fixed /32
> addresses only since most of the customers use NAT anyway?
>
> CEF installs a /29 prefix and doesn't care or tell which addresses out
> of this network has been used. IP accounting is a way, but it is
> expensive. I would investigate Netflow (possibly sampled) and work
from
> there..
>
> oli
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

Mark,

you need to enable Netflow on your virtual-access interfaces as well as
on the GigE interface, i.e. where you see the "raw" IP traffic, not the
L2TP-encapsulated traffic..

oli

Mark Tohill <mailto:Mark@u.tv> wrote on Thursday, November 17, 2005 1:15
PM:

> I think this may not work in my setup.
>
> When I enable netflow on my L2TP from Telco, I am only seeing L2TP
> source and destination tunnel IP's, fair enough.
>
> I take it I would have to set NetFlow to monitor traffic bound for
> subnets to be monitored, as opposed to sourced from. i.e ingress on my
> GigE port?
>
> Had a look into sampling etc to reduce stats collection. Came up with:
>
> !
> !
> int atm ATM1/0.101
> ip flow ingress
> !
> flow-sampler-map netflow-subnet-usage-test-sampler-map
> mode random one-out-of 1000
>
> !
> class-map match-any netflow-subnet-usage-test-class-map
> match access-group 180
> !
> policy-map netflow-subnet-usage-test-policy-map
> class netflow-subnet-usage-test-class-map
> sampler netflow-subnet-usage-test-sampler-map
> !
> netflow-sampler netflow-subnet-usage-test-sampler-map
> !
> interface ATM1/0.101
> service-policy input netflow-subnet-usage-test-policy-map
> !
> access-list 180 permit ip X.X.X.X 0.0.0.255 any
> access-list 180 permit ip Y.Y.Y.Y 0.0.0.255 any
> <and remainder of subnets to be monitored>
>
> I still have no idea as to what to do with these stats if they are
> collected on router?
>
> Any 'viewers' out there ( I know, not likely)
>
> Thanks
> Mark
>
> -----Original Message-----
> From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk]
> Sent: 16 November 2005 19:44
> To: Mark Tohill
> Cc: Oliver Boehmer (oboehmer); cisco-nsp@puck.nether.net;
> cisco-bba@puck.nether.net
> Subject: RE: [c-nsp] Static ip address info
>
> for what you describe, either get some basic tool that will give you a
> text
> debug output or write something to dump the packets, then a bit of
> grep
> and sort
> and you should have the info you need :)
>
> Steve
>
> On Wed, 16 Nov 2005, Mark Tohill wrote:
>
>>
>> Thanks Oli for that.
>>
>> Does anyone know the 'minimal' for Netflow re: monitoring
>> applications etc.?
>>
>> Mark
>>
>> -----Original Message-----
>> From: Oliver Boehmer (oboehmer) [mailto:oboehmer@cisco.com]
>> Sent: 16 November 2005 11:34
>> To: Mark Tohill; cisco-nsp@puck.nether.net
>> Cc: cisco-bba@puck.nether.net
>> Subject: RE: [c-nsp] Static ip address info
>>
>> Mark Tohill <> wrote on Wednesday, November 16, 2005 12:20 PM:
>>
>>> I sent this originally to BBA List. Hope I'm not off-topic.
>>
>> Cc'ing bba list
>>>
>>> We have DSL users coming in on 7204VXR's over L2TP VPDN acquiring
>>> static IP's, both gateways and small subnets (/29's for example).
>>>
>>> We suspect a lot of our users are not using their /29's and are
>>> NAT'ing etc. on their gateway addresses.
>>>
>>> Is there any relatively easy way of finding out this sort of
>>> information?
>>>
>>> Ideas spring to mind are ACL's, gleaning info from CEF (???), ip
>>> accounting....
>>>
>>> Has anyone ever come up against same problem or has an idea how this
>>> might work?
>>
>> What are your objectives? To find out if your product is actually
>> used the way it is intended to, or if you might as well offer fixed
>> /32 addresses only since most of the customers use NAT anyway?
>>
>> CEF installs a /29 prefix and doesn't care or tell which addresses
>> out of this network has been used. IP accounting is a way, but it is
>> expensive. I would investigate Netflow (possibly sampled) and work
>> from there..
>>
>> oli
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

On Thu, 17 Nov 2005, Oliver Boehmer (oboehmer) wrote:

> Mark,
>
> you need to enable Netflow on your virtual-access interfaces as well as
> on the GigE interface, i.e. where you see the "raw" IP traffic, not the
> L2TP-encapsulated traffic..

And assuming you have a unix box, look for the flow-tools package. You
can use that to collect netflow exported from the router(s) and generate
reports showing you what your IPs are up to...or which ones are generating
traffic and which are not.

You'll probably only be interested in traffic with your IPs as the source
address, since all the IPs are likely the destinations of everpresent
scans.

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba