Tag Archives: NetFlow

06 Feb

Ask about Netflow data using natural language

This is one of those projects destined to end up in a drawer or only live for a few days. I had a lot of NetFlow data on hand and came up with the idea of writing a chatbot to query that data using natural language. Since I’d never built a chatbot before, why not? Up until now, I mostly worked on models with OpenAI or Azure. I wasn’t too keen on exposing my NetFlow data to public models, so I ran the model on my own server. Plus, it just so happened that the news about the Chinese model DeepSeek had just broken that week. Ultimately, the data doesn’t even get sent to the model—they don’t need to since everything is stored in a local ElasticStack. Although the concept changed mid-development, my desire to use a local model remained. A few people asked for more details about the project and the code to be shared, so I invite you to read on and check out the repository.

Read More
30 Mar

ASR1k NAT really does not like secondary addresses

Cisco routers never liked secondary addresses if NAT is configured on same interface. You can always expect unpredictable behaviors, and making translations over secondary addresses never worked. On ASR1k it’s even worse.

Configuration for testing was pretty simple.

interface TenGigabitEthernet0/2/0
 ip address 10.15.15.254 255.255.255.0 secondary
 ip address 130.189.160.161 255.255.255.252
 ip nat outside
!
ip nat pool test-robot 130.189.160.161 130.189.160.161 netmask 255.255.255.252
ip nat inside source list test-r-list pool test-r overload

On ISR this configuration should work, at least I made it run on dynamips and 12.4T software. On ASR1k and IOS XE it’s not working regardless of version of software used. If you enable debugging you’ll find something like that in logs

*Mar 24 06:49:12.482: NAT: setup alias for 130.189.160.161 (redundancy_name , idb TenGigabitEthernet0/2/0, flags 0x2)
*Mar 24 06:49:12.482: NAT: installing alias for address 130.189.160.161, addr_flags 0x2
*Mar 24 06:49:12.482: NAT: alias insert failed for 130.189.160.161

Traffic flows through ASR router, translation entry is created in NAT table and it reaches destination, but almost every traffic that is sent back and should use same translation is dropped by ASR. Almost every because ICMP pings are working fine, UDP and TCP flows are dropped.

There are two solutions of this problem. You can create translation rule using interface instead of pool, then ASR will use primary address as a source of translation and it will work fine.

ip nat inside source list test-r-list interface TenGigabitEthernet0/2/0 overload

Other solution is to split physical interface into two subinterfaces using dot1q tagging and use ip nat outsideonly on subinterface with public addresses.

What’s also disturbing is fact, that NetFlow Event Logger (refer to this post, that should send NetFlow v9 events to collector starts sending weird data. In my tests it stopped sending informations about creation or removal of NAT entry. No data sets were sent to collector, just templates that weren’t the ones described by templateId=259.

21 Mar

NetFlow Event Logger on ASR1k

ISP’s are not ready yet to deploy IPv6 to end customers and lack of IPv4 address spaces force them to use NAT in their networks. Unfortunately more and more governments require logging what users do and what IP addresses they are connecting to. NAT even logger to syslog is available for quite long time already. But with all AJAX and P2P applications logging, and especially querying logged data is ineffective. On ASR1k routers you can log NAT and firewall events using NetFlow v9.
Read More