NAT Deduplication
44 views
Skip to first unread message
MrGuga
Nov 3, 2011, 4:59:25 PM11/3/11
to sFlowTrend
I wonder if there is any way to configure sFlowTrend to deduplicate
traffic that passes through a NAT router? When i need to chart all my
internet traffic, i have to manually filter out all the "outside"
subnet otherwise i get something like this on top source-destination
pairs:
177.10.A.B -> 200.131.C.D
172.16.E.F -> 200.131.C.D
177.10.A.B -> 200.165.I.J
172.16.G.H -> 200.165.I.J
...
Where
177.10.A.B is my public IP address
172.16.x.x are my private IP addresses
these 4 flows are actually only 2, and the traffic amount is always
doubled.
If this is the expected behavior, as a feature request would it be
possible to add a checkbox to the subnet config dialog to mark that
subnet as being the outside network of a NAT router so all its traffic
would be deduplicated?
Might not be possible to determine which outgoing packets are part of
the same flow, because usually nat routers mess with the packet
sequence number, but i think it is possible to do it for incoming
packets. It is better to ignore outgoing and count incoming traffic
more accurately than having to manually ignore both by applying some
filters.
traffic that passes through a NAT router? When i need to chart all my
internet traffic, i have to manually filter out all the "outside"
subnet otherwise i get something like this on top source-destination
pairs:
177.10.A.B -> 200.131.C.D
172.16.E.F -> 200.131.C.D
177.10.A.B -> 200.165.I.J
172.16.G.H -> 200.165.I.J
...
Where
177.10.A.B is my public IP address
172.16.x.x are my private IP addresses
these 4 flows are actually only 2, and the traffic amount is always
doubled.
If this is the expected behavior, as a feature request would it be
possible to add a checkbox to the subnet config dialog to mark that
subnet as being the outside network of a NAT router so all its traffic
would be deduplicated?
Might not be possible to determine which outgoing packets are part of
the same flow, because usually nat routers mess with the packet
sequence number, but i think it is possible to do it for incoming
packets. It is better to ignore outgoing and count incoming traffic
more accurately than having to manually ignore both by applying some
filters.
sgjohnston
Nov 4, 2011, 6:32:04 AM11/4/11
to sFlowTrend
You are right, sFlowTrend does not reduplicate traffic across a NAT
device. The problem is that both the IP and MAC addresses change
across the NAT (and the sequence number as you say). NAT really causes
two separate flows, so consolidating them is hard. sFlow does have an
extended NAT record, which contains the translated addresses, and this
could be used to connect the two flows. However, as far as I know, no
devices actually implement this, and sFlowTrend doesn't either.
Probably the easiest way of filtering for this in sFlowTrend would be
to use the inSubnet filter function to only include internal (or
external) addresses - it sounds like you might be doing this already.
Your idea of defining which subnets are internal is interesting, we
will look at ways this could be used. I don't think it would be
possible to de-duplicate between internal and external, since there is
no way to correlate between the two, but it might allow for an easier
way to filter out the traffic that is not required.
Stuart
device. The problem is that both the IP and MAC addresses change
across the NAT (and the sequence number as you say). NAT really causes
two separate flows, so consolidating them is hard. sFlow does have an
extended NAT record, which contains the translated addresses, and this
could be used to connect the two flows. However, as far as I know, no
devices actually implement this, and sFlowTrend doesn't either.
Probably the easiest way of filtering for this in sFlowTrend would be
to use the inSubnet filter function to only include internal (or
external) addresses - it sounds like you might be doing this already.
Your idea of defining which subnets are internal is interesting, we
will look at ways this could be used. I don't think it would be
possible to de-duplicate between internal and external, since there is
no way to correlate between the two, but it might allow for an easier
way to filter out the traffic that is not required.
Stuart
Reply all
Reply to author
Forward
0 new messages