If a flow is produced when an ACL hit occurs, is there any indicator in the data of this (for example, 0.0.0.0 appearing in the next hop field)?
I think an $output_if of zero is the best indicator that a flow was black-holed. I have found the nexthop value to be more a function of the routing method configured on the router than whether or not the flow’s traffic was forwarded or not. For instance, with the full BGP routing table, I get valid/correct nexthop values. However, FlowScan users that simply configure a default route to an ip unnumbered interface have reported that the destination IP is repeated in the nexthop field. (FlowScan’s CampusIO report has a special option to deal with this scenario since normally FlowScan likes to determine if a flow is outbound based on its nexthop.) Other FlowScan users have occasionlly reported seeing zeroes regularly as the nexthop values, but I never got full details on their Cisco config. Right now, FlowScan just plain ignores all flows with nexthop of zero unless you have specified an array of output ifIndexes to use instead to ID outbound traffic. IIRC, I’ve also seen zeroes in the ne
Related Questions
- If a flow is produced when an ACL hit occurs, is there any indicator in the data of this (for example, 0.0.0.0 appearing in the next hop field)?
- The Facebook data feed doesn seem to be working or Facebook is appearing on my desktop. What is going on?
- Is email address appearing in Master Data needs to be updated before filing application under EES 2011?
