1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
!
! bgp_peer_src_as_map: BGP source peer ASN map
!
! File syntax is key-based. Read full syntax rules in 'pretag.map.example' in
! this same directory.
!
! nfacctd, sfacctd: valid keys: id, ip, in, bgp_nexthop, src_mac, vlan.
!
! pmacctd, uacctd: valid keys: id, ip, filter.
!
! list of currently supported keys follow:
!
! 'id' SET: value to assign to a matching packet or flow. Other
! than hard-coded AS numbers, this field accepts also the
! 'bgp' keyword which triggers a BGP lookup and returns
! its result: useful to handle exceptions.
! 'ip' MATCH: in nfacctd this is compared against the source
! IP address of the device originating NetFlow packets;
! in sfacctd this is compared against the AgentId field
! of received sFlow samples. Expected argument are an IP
! address or prefix (ie. XXX.XXX.XXX.XXX/NN). 0.0.0.0/0
! would match all IPv4 addresses; ::/0 would match all
! IPv6 addresses.
! 'in' MATCH: input interface
! 'bgp_nexthop' MATCH: BGP next-hop of the flow source IP address (RPF-
! like). This value is compared against the corresponding
! BGP RIB of the exporting device.
! 'peer_dst_as' MATCH: first AS hop within the AS-PATH of the source IP
! address (RPF-like). This value is compared against the
! BGP RIB of the exporting device (see 'bgp_daemon'
! configuration directive).
! 'src_mac' MATCH: In NetFlow v9 and IPFIX this is compared against
! IE #56, in sFlow against source MAC address field part
! of the Extended Switch object.
! 'vlan' MATCH: In NetFlow v9 and IPFIX this is compared against
! IE #58, in sFlow against in/out VLAN ID fields part of
! the Extended Switch object.
! 'filter' MATCH: incoming data is compared against the supplied
! filter expression (expected in libpcap syntax); the
! filter needs to be enclosed in quotes (').
!
! Examples:
!
! Private peering with AS12345 on router with IP address 192.168.2.1, SNMP ifIndex 7
!
id=12345 ip=192.168.2.1 in=7
! A way to model a public internet exchange - in case MAC addresses are not available,
! ie. NetFlow v5. The catch-all entry at the end can be the AS number of the exchange.
! 'peer_dst_as' can be used instead of the BGP next-hop for the very same purpose, with
! perhaps 'peer_dst_as' being more effective in case of, say, egress NetFlow. Note that
! by using either 'bgp_nexthop' or 'peer_dst_as' for this purpose constitutes only an
! educated guess.
!
id=34567 ip=192.168.1.1 in=7 bgp_nexthop=10.10.10.1
id=45678 ip=192.168.1.1 in=7 bgp_nexthop=10.10.10.2
id=56789 ip=192.168.1.1 in=7
! A way to model a public internet exchange - in case MAC addresses are available. The
! method is exact and hence doesn't require a catch-all entry at the end.
!
id=34567 ip=192.168.1.1 in=7 src_mac=00:01:02:03:04:05
id=45678 ip=192.168.1.1 in=7 src_mac=00:01:02:03:04:06
! Same example as the previous one but with pmacctd / uacctd:
id=34567 ip=0.0.0.0/0 filter='ether src 00:01:02:03:04:05'
id=45678 ip=0.0.0.0/0 filter='ether src 00:01:02:03:04:06'
! A simple example on how to trigger BGP lookups rather than returning a fixed result.
! This allows to handle exceptions to static mapping
id=bgp ip=192.168.2.1 in=7
|
