Agenda: exercise1-flow-export.txt

File exercise1-flow-export.txt, 6.3 KB (added by carmas, 6 years ago)
Exercise1-NfSen?

Line
1	% Monitoring Netflow with NfSen
2	%
3	% Network Monitoring and Management
4
5	# Introduction
6
7	## Goals
8
9	* Learn how to export flows from a Cisco router
10
11	## Notes
12
13	* Commands preceded with "$" imply that you should execute the command as
14	a general user - not as root.
15	* Commands preceded with "#" imply that you should be working as root.
16	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
17	imply that you are executing commands on remote equipment, or within
18	another program.
19
20	# Export flows from a Cisco router
21
22	During this exercise we will ask that you export flows from your router to two
23	PCs in the classroom. You should work together as a group. That is, for group 1,
24	users of pc1, pc2, pc3, pc4 should work together and pick one machine where
25	network flows will arrive.
26
27	In addition, you will export a second flow from your group's router to a PC in
28	the group next to yours. That is, for example, if group 2 has chosen pc5 to be
29	the PC that receives flows, then the second flow you export will go to pc5. And,
30	if you chose pc1 to receive flows from router 1 (rtr1), then it should, also,
31	receive flows from router 2 (rtr2):
32
33	These exercises work on the example of doing the following:
34
35	Group 1, Router 1
36	-----------------
37	rtr1 ==> pc1 on port 9001
38	rtr1 ==> pc5 on port 9002
39
40	Group 2, Router 2
41	-----------------
42	rtr2 ==> pc5 on port 9001
43	rtr2 ==> pc1 on port 9002
44
45	You may select the combination that works for your groups.
46
47	Here are the groups that should work together:
48
49	* group 1 and 2
50	* group 3 and 4
51	* group 5 and 6
52	* group 7 and 8
53
54	If there is a group 9 please see the instructors.
55
56	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
57	$ ssh cisco@rtr1.ws.nsrc.org
58	rtr1.ws.nsrc.org> enable
59	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
60
61	or, if ssh is not configured yet:
62
63	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
64	$ telnet 10.10.1.54
65	Username: cisco
66	Password:
67	Router1>enable
68	Password:
69	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
70
71	Remember - This is an EXAMPLE for the following situation:
72
73	rtr1 ==> pc1 on port 9001
74	rtr1 ==> pc5 on port 9002
75
76	Group 2, 3, 4, 5, 6, 7, 8 and 9 will do something different.
77
78	The following configures the FastEthernet 0/0 interface to export flows.
79
80	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
81	rtr1.ws.nsrc.org# configure terminal
82	rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
83	rtr1.ws.nsrc.org(config-if)# ip flow ingress
84	rtr1.ws.nsrc.org(config-if)# ip flow egress
85	rtr1.ws.nsrc.org(config-if)# exit
86	rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9001
87	rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.2.5 9002
88	rtr1.ws.nsrc.org(config)# ip flow-export version 5
89	rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
90	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
92	This breaks up long-lived flows into 5-minute fragments. You can
93	choose any number of minutes between 1 and 60. If you leave it at
94	the default of 30 minutes your traffic reports will have spikes.
95
96	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
97	rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
98	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
99
100	This enables ifIndex persistence globally. This ensures that the
101	ifIndex values are retained during router reboots - also if you add
102	or remove interface modules to your network devices.
103
104	Now configure how you want the ip flow top-talkers to work:
105
106	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
107	rtr1.ws.nsrc.org(config)#ip flow-top-talkers
108	rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
109	rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
110	rtr1.ws.nsrc.org(config-flow-top-talkers)#end
111	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112
113	Now we'll verify what we've done.
114
115	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
116	rtr1.ws.nsrc.org# show ip flow export
117	rtr1.ws.nsrc.org# show ip cache flow
118	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
119
120	See your "top talkers" across your router interfaces
121
122	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
123	rtr1.ws.nsrc.org# show ip flow top-talkers
124	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125
126	If it all looks good then write your running-config to non-volatile
127	RAM (i.e. the startup-config):
128
129	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
130	rtr1.ws.nsrc.org#wr mem
131	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
132
133	You can exit from the router now:
134
135	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
136	rtr1.ws.nsrc.org#exit
137	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138
139	Verify that flows are arriving from your router to the PC chosen to receive
140	flows in your group:
141
142	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
143	$ sudo tcpdump -Tcnfp port 9001
144	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
145
146	Wait a few seconds and you should see something that looks like:
147
148	06:12:00.953450 IP s2.ws.nsrc.org.54538 > noc.ws.nsrc.org.9009: NetFlow v5, 9222.333 uptime, 1359871921.013782000, #906334, 30 recs
149	started 8867.952, last 8867.952
150	10.10.0.241/0:0:53 > 10.10.0.250/0:0:49005 >> 0.0.0.0
151	udp tos 0, 1 (136 octets)
152	started 8867.952, last 3211591.733
153	10.10.0.241/10:0:0 > 0.0.0.0/10:0:4352 >> 0.0.0.0
154	ip tos 0, 62 (8867952 octets)
155	[...]
156
157	If you are using Netflow v9, do note that the above output may not be
158	correct, as the tcpdump in this version of Ubuntu does not decode Netflow
159	v9 properly.
160
161	Verify that flows are arriving from the router in the group next to you to
162	the PC chosen to receive flows in your group (you may have to wait until
163	the group next to you is ready and exporting flows to your PC):
164
165	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
166	$ sudo tcpdump -Tcnfp port 9002
167	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
168
169	You are done for this lab.
170
171	Move on to exercise3-NfSen-PortTracker if NfSen is already installed.
172
173	Otherwise, go to exercise2-install-nfdump-nfsen.