With the new sFlow Autonomous Systems report your flow analyzer can now support AS reporting for sFlow and most other IP flow format. The NetFlow analyzer is able to map IP addresses to their corresponding AS numbers using a lookup system to GeoLite databases. Therefore, the new report is not limited to only using supported AS information elements that are being sent in flow packets. However, in combination with flow data, the traffic analyzer can generate AS reports for flow format with unsupported AS information elements.
What is Autonomous System (AS)?
Autonomous Systems allows network administrators to monitor traffic between registered collections of IP networks and routers that use the same routing policies. It is a collection of connected IP prefixes under the control of one or more network administrators that presents a common and clearly defined routing policy to the Internet.
Autonomous System Reporting
Typically when you have BGP configured on your network, a NetFlow or IPFIX capable router can export AS numbers and your NetFlow Analyzer will report on them. When exporting NetFlow for instance, Autonomous System information is exported in the following information elements:
- SRC_AS
- DST_AS
Here is how you can enable AS export on a Cisco device:
Traditional NetFLow: Use the command “router(config)# ip flow-export <version> <peer-as | origin-as>”. (This command sets the NetFlow version and also can include the optional keys peer-as and origin-as which enables AS export – pear-as: Specifies that export statistics include the peer AS for the source and destination.-origin-as: Specifies that export statistics include the originating autonomous system for the source and destination.)
Flexible NetFlow: Use the command “collect routing {destination | source} as [peer]” (This command adds AS information to the flow record)
Most IP flow capable devices export “SRC_AS and DST_AS” or their corresponding implementations. As previously stated, the flow analyzer no longer only depends on flow data to be able to report on Autonomous Systems. Your traffic monitoring application uses data from an online IP geolocation database to associate IP addresses with the corresponding AS numbers. The GeoLite database was created and is updated on a regular bases by MaxMind. This basically means that your NetFlow analyzer supports Autonomous System across most IP flow protocols (sFlow, NetFlow, Flexible Netflow, etc). Therefore if you are looking to monitor AS, you no longer need to worry about having NetFlow devices or a flow collector that supports AS information elements.
On top of reporting on Autonomous System numbers, the traffic analysis program also has the ability to send you email alerts when unexpected AS numbers appear in your traffic. If you are interested in configuring alerts, feel free to give us a call and we will be happy to assist you with the setup. Please share your experience if you are currently using flow technology to monitor Autonomous System.