Understanding "show ip cache flow" output

jwbensley · ‎03-14-2012

Here is a snippet from "show ip cache flow", from a border router of our network;

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Gi0/3 1.2.3.4 Fa1/0* 192.168.1.66 11 F247 00A1 3

Gi0/3 1.2.3.4 Fa1/0* 192.168.1.68 11 F247 00A1 3

Gi0/3 1.2.3.4 Fa1/0* 192.168.1.71 11 F247 00A1 3

Gi0/3 1.2.3.4 Fa1/0* 192.168.1.74 11 F247 00A1 3

To clarify, Gi0/3 faces our customers, Fa1/0 faces a transit provider. These results have come from configuring "ip flow egress" on Fa1/0, facing the transit provider.

1.2.3.4 is a static IP we have assigned a customer. I know this customer has a firewall terminating this connection so I want to understand the cache flow results on this route. Why is the destination address an RFC1918 address?

Is it possible that the customers firewall is trying to connect to these addresses, the flow gets as far as this border router, and drops? I assume that to be false, and only successfully initiated flows are recorded?

Also, looking at those figures it's IP protocol 0x11 which is UDP (17) and source port 62023 to destination port 161. 161 is SNMP? Without asking the customer what they are doing I suppose I can never know at that level, but I'm really more interested in why these flows are showing at all, when 192.168.1.0/24 isn't in this routers FIB?

Dan-Ciprian Cicioiu · ‎03-14-2012

Yes 161 is snmp, and its UDP. One reason would be default routing. I suppose that the customer has a default route toward the firewall , and on firewall a default router toward the edge provider router. As per source the flows could be source nat-ed.

Regards

Dan

jwbensley · ‎03-17-2012

Sadly their firewall default route is to a router much closer to them, so that isn't the answer. BGP cariries them from their default routerr out of the specific border router these flows are present on.