ARS 1000 Netflow

September 19, 2018 ~ dnzydn ~ Leave a comment

Only Flexible Netflow (FNF) is supported.

Ref : http://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/asr1k_rn_rel_notes/asr1k_feats_important_notes_313s.html#pgfId-3455900

Important Notes
The following sections contain important notes about Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S.

End-of-Sale and End-of-Life of the Cisco Traditional NetFlow Feature
Cisco announces the end-of-sale and end-of-life of the Cisco Traditional NetFlow (TNF) Feature on the Cisco ASR1000 platform. Cisco will not have any future development, CLI support, TAC support, and documentation pertaining to the Cisco TNF feature beyond Cisco IOS XE Software Release 3.10.

Customers with the Cisco TNF feature on the Cisco ASR1000 platform are encouraged to migrate to the Cisco Flexible NetFlow (FNF) feature on the Cisco ASR1000 platform.

For details on transition to Cisco FNF, see the Migrating from Traditional to Flexible NetFlow white paper:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html

Basic config :

sampler TRAFFIC_ACCT_RATE
mode random 1 out-of 500

flow exporter NFSEN
destination 193.192.97.114
source Loopback0
transport udp 2055
export-protocol ipfix
!

flow monitor NFSEN
exporter NFSEN
record netflow-original
!

int X
ip flow monitor NFSEN sampler TRAFFIC_ACCT_RATE input
ip flow monitor NFSEN sampler TRAFFIC_ACCT_RATE output

bps and pps calculation for netflow on ELK and logstash

September 19, 2018 ~ dnzydn ~ Leave a comment

adds some amount of CPU usage!

ruby code for calculation :

ruby {
init => “require ‘time'”
code => “event[‘netflow’][‘duration’] = Time.parse(event[‘netflow’][‘last_switched’]) – Time.parse(event[‘netflow’][‘first_switched’])”
}
if [netflow][in_bytes] {
ruby {
code => “event[‘netflow’][‘in_bits’] = event[‘netflow’][‘in_bytes’] * 8″
}
}
if [netflow][duration] > 0 {
ruby {
code => ”
event[‘netflow’][‘pps’] = event[‘netflow’][‘in_pkts’] / event[‘netflow’][‘duration’] rescue 0
event[‘netflow’][‘bps’] = event[‘netflow’][‘in_bits’] / event[‘netflow’][‘duration’] rescue 0
”
}
} else {
mutate {
replace => [ “[netflow][bps]”, “%{[netflow][in_bits]}” ]
replace => [ “[netflow][pps]”, “%{[netflow][in_pkts]}” ]
}
}
mutate {
convert => [ “[netflow][pps]”, “integer” ]
convert => [ “[netflow][bps]”, “integer” ]
}

IOS XE, IOS XR ISIS MTU

September 19, 2018December 7, 2018 ~ dnzydn ~ Leave a comment

IOS XE, IOS XR ISIS MTU AND ISIS Adjacency Problems due to MTU

CLNS MTU or LSP MTU ? :

On IOS XR you can not change CLNS MTU. It’s derived from interface mtu;

interface GigabitEthernet0/0/0/0
mtu 9000
ipv4 mtu 1500
!
sh im database interface gigabitEthernet 0/0/0/0
.......
.......
Protocol Caps (state, mtu)
-------- -----------------
None spio (up, 9000)
None ether (up, 9000)
arp arp (up, 8986)
clns clns (up, 8986) # interface mtu 9000 - ether header 14
ipv4 ipv4 (up, 1500)
ether_sock ether_sock (up, 8986)

But you can change LSP MTU

router isis XXXXX
lsp-mtu 1500

On IOS XE, clns mtu can be changed under interface parameters;

interface GigabitEthernet0/1
clns mtu 1500

Padding : Default behaviour on both platforms to pad ISIS LSP to interface MTU.

1 – You can adjsut CLNS MTU on IOS XE via interface level command clns mtu or on IOS XR under isis process level lsp-mtu command.

2 – Or you can disable padding of lsp on IOS XE via interface level command no isis hello padding always or on IOS-XR isis process interface level command hello-padding disable