With “ip flow-export version 5 origin-as” specified on my router, Im getting a lot of src AS 0, inconsistent with what I know the traffic to be. Whats happening?
Are you running CEF on the router? It usually helps a lot. The problem here is that if you’re using the prefix cache (in other words, not running CEF), flow-export packets from the Cisco will contain AS 0 in many of the flows, expecially in the source AS field. The problem here is that flow-export will look in the prefix-cache; if it fails to find a matching prefix cache entry, it sets the corresponding AS field to 0. It will not look in the routing table because it was deemed too expensive. The prefix cache is of course populated by destinations (as that’s how forward works), hence cache misses for a source network lookup can be very frequent in many situations. The typical cause is unidirectional traffic, which is often caused by asymmetric routes. The best way to resolve this problem is to run CEF.
Related Questions
- With "ip flow-export version 5 origin-as" specified on my router, Im getting a lot of src AS 0, inconsistent with what I know the traffic to be. Whats happening?
- How can I configure a Cisco ASA router/firewall to route multicast traffic between two subnets?
- How MRTG (Multi Router Traffic Graffer) works?
