Есть Cisco 1721 c настроенным NAT.
Настроил экспорт потока netflow на flow-tools.
Flow-tools пакеты ловит, но при подсчете трафик показывается меньше реального (например того, что насчитал squid). При анализе оказывается что cisco отправляет не весь поток, т.к. много DstIf = Null.
В чем может быть проблема? Информация:
router#sh ip cache flow
IP packet size distribution (973895 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .442 .084 .026 .013 .012 .005 .008 .004 .002 .192 .065 .002 .004 .003512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .002 .036 .022 .066 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
162 active, 3934 inactive, 203732 added
3723040 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 17416 bytes
125 active, 899 inactive, 158596 added, 158596 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 10 0.0 2 44 0.0 5.3 6.9
TCP-FTP 18 0.0 25 57 0.0 4.2 11.4
TCP-FTPD 106 0.0 5 107 0.0 0.9 2.2
TCP-WWW 37557 0.6 8 314 5.3 2.7 3.2
TCP-SMTP 13259 0.2 12 162 2.6 12.2 4.4
TCP-X 2 0.0 1 40 0.0 0.0 15.3
TCP-NNTP 10 0.0 2 44 0.0 5.3 7.0
TCP-other 35450 0.5 3 274 1.9 4.1 14.9
UDP-DNS 22474 0.3 1 70 0.4 1.2 15.4
UDP-NTP 2200 0.0 1 76 0.0 0.0 15.5
UDP-other 46119 0.7 6 292 5.0 4.6 14.5
ICMP 1299 0.0 5 58 0.1 8.4 15.2
Total: 158504 2.5 6 266 15.6 4.2 11.2
cisco#sh ip cache flow | include Null
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Vl1 192.168.1.64 Null 192.168.1.255 11 0089 0089 3
Vl1 192.168.1.22 Null 192.168.1.255 11 008A 008A 1
Vl1 192.168.1.8 Null 194.106.221.36 11 0409 0035 2
Fa0 85.140.221.63 Null 192.168.1.8 06 0468 0019 5
Vl1 0.0.0.0 Null 255.255.255.255 11 0044 0043 72
Fa0 84.94.56.99 Null 192.168.1.50 11 C114 D49B 1
Fa0 87.246.10.133 Null 192.168.1.50 06 EF5F 08C6 5
Vl1 192.168.1.8 Null 205.171.14.195 11 0409 0035 1
Vl1 192.168.1.8 Null 212.188.8.37 11 0409 0035 2
Fa0 194.186.55.23 Null 192.168.1.241 06 01BB 92EB 1
Fa0 64.12.25.20 Null 192.168.1.241 06 01BB 8D63 1
Fa0 194.186.55.31 Null 192.168.1.241 06 01BB D303 29
Fa0 205.188.9.88 Null 192.168.1.241 06 01BB CA51 12
Fa0 194.186.55.23 Null 192.168.1.241 06 01BB 839A 1
Fa0 205.188.7.189 Null 192.168.1.241 06 01BB C8EA 1
Fa0 83.101.14.245 Null 192.168.1.50 06 7C1C 08CC 5
Fa0 64.12.28.62 Null 192.168.1.241 06 01BB B643 1
Vl1 192.168.1.8 Null 194.37.90.60 11 0409 0035 3
Fa0 205.188.7.221 Null 192.168.1.241 06 01BB BD73 1
Fa0 205.188.8.250 Null 192.168.1.241 06 01BB DE07 1
Fa0 84.94.54.144 Null 192.168.1.50 11 E509 D49B 1
Fa0 71.209.36.87 Null 192.168.1.8 06 1287 0019 6
Fa0 194.186.55.21 Null 192.168.1.241 06 01BB 8927 1
Fa0 64.12.28.108 Null 192.168.1.241 06 01BB DB0F 1
Vl1 192.168.1.111 Null 255.255.255.255 11 0043 0044 72
Fa0 85.238.124.123 Null 192.168.1.50 06 01BB 08CA 5
Vl1 192.168.1.111 Null 192.168.254.9 11 0089 0089 3
Fa0 194.186.55.25 Null 192.168.1.241 06 01BB 8C2E 1
Vl1 192.168.1.8 Null 206.196.128.12 11 0409 0035 1
Fa0 87.246.10.133 Null 192.168.1.50 06 01BB 08C7 5
Fa0 83.101.14.245 Null 192.168.1.50 06 01BB 08CD 5
Fa0 194.186.55.26 Null 192.168.1.241 06 01BB CE8E 1
Fa0 85.238.124.123 Null 192.168.1.50 06 D231 08C9 5
cisco#sh ver
Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(11)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Sat 18-Sep-04 09:32 by eaarmas
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
router uptime is 17 hours, 17 minutes
System returned to ROM by reload at 18:32:34 Russia Thu Feb 14 2008
System restarted at 18:35:24 Russia Thu Feb 14 2008
System image file is "flash:c1700-k9o3sy7-mz.123-11.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 1721 (MPC860P) processor (revision 0x400) with 60642K/4894K bytes of memory.
Processor board ID FOC08321HCV (587237953), with hardware revision 0000
MPC860P processor: part number 5, mask 2
1 Ethernet interface
5 FastEthernet interfaces
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)
Кофигурация cisco:
!
! Last configuration change at 16:23:53 Russia Thu Feb 14 2008
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security passwords min-length 6
no logging buffered
enable secret 5
!
username aaa privilege 15 view root secret 5
clock timezone Russia 5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip wccp web-cache redirect-list 110
!
!
ip cef
ip domain name aaa.ru
ip name-server xxx
ip name-server xxx
ip name-server xxx
ip ips po max-events 100
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
ip route-cache policy
ip route-cache flow
!
interface FastEthernet0
description $ETH-LAN$Internet
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip access-group fa0-in in
ip wccp web-cache redirect out
ip nat outside
ip virtual-reassembly max-reassemblies 64
ip route-cache policy
ip route-cache flow
ip policy route-map OUR_MAP
speed auto
!
interface FastEthernet1
description LOCAL_PORT_1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface FastEthernet4
no ip address
shutdown
no cdp enable
!
interface Vlan1
ip address 192.168.1.11 255.255.255.0
ip access-group Vlan1-out out
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
no ip http server
ip http authentication local
no ip http secure-server
ip flow-export version 5
ip flow-export destination xxx.xxx.xxx.xxx 9999
ip flow-export destination xxx.xxx.xxx.xxx 9999
!
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.9 21 xxx.xxx.xxx.xxx 21 extendable
ip nat inside source static tcp 192.168.1.9 22 xxx.xxx.xxx.xxx 22 extendable
ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.1.9 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.1.8 110 xxx.xxx.xxx.xxx 110 extendable
ip nat inside source static tcp 192.168.1.8 3000 xxx.xxx.xxx.xxx 3000 extendable
ip nat inside source static tcp 192.168.1.1 4777 xxx.xxx.xxx.xxx 4777 extendable
ip nat inside source static tcp 192.168.1.111 3389 xxx.xxx.xxx.xxx 4778 extendable
ip nat inside source static tcp 192.168.1.8 3389 xxx.xxx.xxx.xxx 4779 extendable
!
!
ip access-list extended Vlan1-out
permit tcp any host 192.168.1.8
permit tcp any host 192.168.1.9
permit tcp any host 192.168.1.241
permit tcp any eq pop3 192.168.1.0 0.0.0.255
deny tcp any 192.168.1.0 0.0.0.255
permit ip any any
!
!
ip access-list extended fa0-in
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 240.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.128.255.255 any
permit udp any eq ntp host xxx.xxx.xxx.xxx eq ntp
permit tcp any host xxx.xxx.xxx.xxx eq smtp
permit tcp any host xxx.xxx.xxx.xxx eq www
permit tcp any host xxx.xxx.xxx.xxx eq pop3
deny tcp any any range 1 1024
deny udp any any range 1 1024
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 108 permit ip any 192.168.1.0 0.0.0.255
access-list 110 deny ip host 192.168.1.241 any
access-list 110 permit ip any any
snmp-server community public RO
!
route-map OUR_MAP permit 10
match ip address 108
set interface Loopback0 Vlan1
!
control-plane
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
length 0
!
ntp clock-period 17180135
ntp server xxx.xxx.xxx.xxx prefer
ntp server xxx.xxx.xxx.xxx
end
Отключение ip access-group на интерфейсах проблему не решает.