Home Blog NetFlow and BGP

NetFlow and BGP

    Rate this post

    Netflow BGPBorder Gateway Protocol (BGP) is a core routing protocol used by most of the Internet Service Providers (ISPs). BGP’s role is to exchange routing and reachability information between autonomous systems (ASes) on the Internet. An AS can be an ISP, a university or the entire corporate network. Each AS is represented by a unique number called an AS number (ASN). The set of ASes along the path between two Autonomous Systems on the Internet is called BGP AS_PATH. This is one of the attributes that is evaluated in the BGP best path selection process.

    BGP AS PATH Attribute for Network Path Visibility

    BGP routing information provides full Internet path visibility. With a simple check of a routing table, network operators can determine the source and target ASes and all transit ASes through which the packet moves on its way to the destination. When a BGP router sends out an update to a neighbor in a different AS (i.e., an external or eBGP neighbor), it adds its own AS number to the front (left side) of the AS path. So the AS path lists all the ASes that need to be traversed to reach the location where the prefix that the path is attached to is advertised from. Let’s check how the AS_PATH attribute is built when a prefix originated on the router AS1 is sent in a BGP update message and received by the router AS5 (Picture 1).

    Network Topology with 5 eBGP Neighbors

    Picture 1: Network Topology with 5 eBGP Neighbors

    The BGP router in AS 1 sends a BGP update message to its eBGP neighbor with its own AS number (ASN) 1. The neighbor in AS 2 adds its ASN 2 to the front (left) side of the AS path in a BGP update. The AS_PATH attribute is now 2 1. The neighbor in AS 3 prepends the AS_PATH with its own ASN 3. The AS_PATH is now 3 2 1. And again, when the router AS4 receives the BGP update message with the AS_PATH 3 2 1 from AS3, it adds its ASN 4 to the front of the AS_PATH. The AS_PATH attribute received by the router AS5 in a BGP update from the peer AS 4 is 4 3 2 1 for NLRI (Picture 2).

    AS_PATH for NLRI on AS5

    Picture 2: AS_PATH for NLRI on AS5

    NetFlow and Network Path Utilization

    BGP does a great job in providing visibility of network paths so we have a clear picture of how traffic is forwarded between ASses. However, BGP alone says nothing about how these paths are utilized. NetFlow, on the other hand, can report how much traffic is traversing the paths in real-time. It provides complete traffic statistic including Layer2 (VLAN headers, MAC addresses), Layer3 (IP addresses, protocol) Layer4 (TCP/UDP ports) information, timestamps VRF IDs, etc.  The nature of NetFlow makes it a valuable tool for investigation of the inbound traffic for a certain pattern matching. As we explained in our previous blog posts, NetFlow analysis plays an important part in DDoS amplification attacks, web application and SSH compromise attack detection.

    BGP Support in NetFlow

    Although, NetFlow reports the amount of traffic on any given path, its ability to report on how the traffic gets into the AS is limited. As a matter of fact, it merely depends on BGP support in different NetFlow versions.

    BGP in NetFlow v5

    NetFlow v5 reports the source and destination ASes, peer ASses and BGP next-hop. Let’s explain it using a network topology depicted on Picture 1. The AS3 router is configured with the legacy NetFlow v5 in ingress direction for the interface Gi0/0. Traffic is sent from AS5 to AS1 and AS collection is included in NetFlow export with the option orgin-as. In this case, NetFlow reports ASN5 as source and ASN1 as destination ASes, with the BGP next-hop If an option peer-as is used instead of origin-as, the ASN4 and ASN2 are exported instead, along with the next-hop In both cases, only origin or peer ASN information is exported in flows.

    BGP in NetFlow v9

    NetFlow v9 allows us to collect both origin-as and peers-as simultaneously as you can see from the last four lines under the flow record configuration. If traffic is sent from AS5 to AS1, Netflow reports ASN5 and ASN1 as a source and destination ASes and AS4 and AS2 as peer ASes, with the BGP next-hop (Picture 3). Thanks to it, network operators can plan outbound traffic accordingly, carefully selecting an appropriate exit point. For instance, they can increase the weight (Cisco only) or LOCAL_PREF per neighbor or prefix basis to prefer a certain exit router to the others.

    flow record BGP-record
     match ipv4 source address
     match ipv4 destination address
     match transport source-port
     match transport destination-port
     match interface input
     match ipv4 protocol
     collect counter packets
     collect counter bytes
     collect timestamp sys-uptime first
     collect timestamp sys-uptime last
     collect routing next-hop address ipv4 bgp
     collect routing source as
     collect routing destination as
     collect routing source as peer
     collect routing destination as peer
    flow monitor BGP-monitor
     record BGP-record

    NetFlow v9 Record

    Picture 3: NetFlow v9 Record with Both Origin-as and Peers-as Information

    While BGP implementation in NetFlow v9 provides higher AS path visibility when compared to the legacy v5, it is still limited to a partial AS view only. For instance, if we add the AS6 into the topology depicted on Picture 1 between the routers AS4 and AS5, NetFlow configured on AS3 will not report the AS6. In order to provide full BGP path visibility and path utilization, BGP must be bundled with NetFlow.


    BGP gives us an ability to understand how network traffic is forwarded between ASes on the Internet. BGP in conjunction with NetFlow provides information about the type and amount of traffic on the paths interconnecting ASes. However, it is only possible if BGP attributes such as AS_PATH, are extracted from the BGP table and correlated with NetFlow records.


    Leave a Reply