Monday, November 30, 2009

Configuring NetFlow (I love this feature)

Credits to the original Author..

CONFIGURING THE ROUTER

First on Cisco box enable Cisco Express Forwarding:

router(config)# ip cef
router(config)# ip cef distributed

and turn on flow accounting for each input interface with the interface command:

interface FastEthernet3
ip route-cache flow

interface Serial3/1
ip route-cache flow

...

Now, verify that the router (or switch) is generating flow stats. Try command 'show ip cache flow'. Note that for routers with distributed switching (GSR's, 75XX's) the RP cli will only show flows that made it up to the RP. To see flows on the individual linecards use the 'attach' or 'if-con' command and issue the 'sh ip ca fl' on each LC.

IP packet size distribution (36242M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.002 .340 .084 .021 .020 .012 .009 .009 .008 .007 .006 .007 .004 .003 .004

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .004 .035 .077 .338 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
4139 active, 61397 inactive, 712344771 added
871670181 ager polls, 0 flow alloc failures
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 1572735 0.3 58 127 21.4 27.0 14.8
TCP-FTP 6193502 1.4 24 746 35.3 3.6 9.0
TCP-FTPD 1458042 0.3 1534 833 520.9 42.4 4.2
TCP-WWW 93403998 21.7 19 633 432.9 4.9 6.3
TCP-SMTP 16123540 3.7 15 431 59.1 3.4 6.4
TCP-X 687228 0.1 238 276 38.1 20.8 14.3
TCP-BGP 1116819 0.2 3 45 0.7 5.3 16.0
TCP-NNTP 1455156 0.3 1102 176 373.4 106.1 11.9
TCP-Frag 3244 0.0 4 636 0.0 2.8 16.3
TCP-other 188162587 43.8 118 733 5204.5 11.1 6.9
UDP-DNS 38042100 8.8 3 84 27.3 3.8 16.4
UDP-NTP 18760129 4.3 1 76 5.3 1.3 16.3
UDP-TFTP 665 0.0 4 76 0.0 7.9 16.4
UDP-Frag 13111 0.0 2121 1108 6.4 366.8 13.5
UDP-other 195556237 45.5 35 343 1632.5 5.8 16.3
ICMP 149285440 34.7 2 64 72.9 0.9 16.5
IGMP 15315 0.0 167 32 0.5 1660.6 3.9
IPINIP 15112 0.0 35 52 0.1 275.3 14.2
GRE 127489 0.0 3 109 0.1 16.9 16.1
IP-other 348604 0.0 56 447 4.5 21.5 16.2
Total: 712341053 165.8 50 620 8436.8 6.2 12.2

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
AT4/0.1 128.146.225.194 AT1/0.2 128.194.203.23 06 0019 2CAF 15
AT2/0.10 129.22.250.148 AT1/0.2 129.2.226.43 06 04BA 1A20 1266
AT2/0.11 130.108.110.48 AT1/0.2 170.140.89.100 06 0923 10A3 436
AT1/0.2 170.140.89.100 AT2/0.11 130.108.110.48 06 10A3 0923 462

! Enable the exports of flows with the global commands
router(config)# ip flow-export version 5 origin-as
router(config)# ip flow-export 10.0.0.2 2000

! Create a loopback interface if one does not exist
!
router(config)# interface Loopback0
ip address 10.0.0.1 255.255.255.255

!
! Configure NetFlow export source address
!
router(config)#ip flow-export source Loopback0

If you have tcpdump installed on or near the host you're using to capture flows, the exports can be verified.

netflow:~# tcpdump -n udp port 2000
tcpdump: listening on eth0
12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.962551 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.975115 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.984444 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.993956 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.003252 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.015483 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.024852 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.034182 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.043545 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.053239 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168

SETTING UP NETFLOW COLLECTOR

After installation of NetFlow Collector, edit file /etc/netflow/nfc.conf In this file you can specify, NetFlow Collector Unit Id, this id must correspond with id created by NetFlow Web tool (see installation of NetFlow Web and installation of mysql database). This id is unique for one computing unit ~ one computer. In one unit can run more collectors (one collector ~ at least one netflow export source / router). Unit ID is under section [Main]. In config file there's another section [Database]. You can specify, database name (default nf), hostname (default localhost), username (default root), password, etc ... If you run all-in-one (NetFlow Collector, NetFlow Web and database in one box, you needn't modify anything in the file /etc/netflow/nfc.conf All other parameters are setup by web interface ...
Now, it is all, you can try run collector by typing

netflow:~#/etc/init.d/nfc start


Now it's good time to check syslog for any errors ...

netflow:~#less /var/log/syslog
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)