Agenda: exercise1-flow-export.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Style-Type" content="text/css" />
  <meta name="generator" content="pandoc" />
  <title>Monitoring Netflow with NfSen</title>
  <style type="text/css">code{white-space: pre;}</style>
  <link rel="stylesheet" href="../../style.css" type="text/css" />
</head>
<body>
<div id="header">
<h1 class="title">Monitoring Netflow with NfSen</h1>
</div>
<div id="TOC">
<ul>
<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
</ul></li>
<li><a href="#export-flows-from-a-cisco-router"><span class="toc-section-number">2</span> Export flows from a Cisco router</a><ul>
<li><a href="#group-1-router-1"><span class="toc-section-number">2.1</span> Group 1, Router 1</a></li>
<li><a href="#group-2-router-2"><span class="toc-section-number">2.2</span> Group 2, Router 2</a></li>
</ul></li>
<li><a href="#configuring-the-routers"><span class="toc-section-number">3</span> Configuring the routers</a></li>
</ul>
</div>
<h1 id="introduction"><a href="#introduction"><span class="header-section-number">1</span> Introduction</a></h1>
<h2 id="goals"><a href="#goals"><span class="header-section-number">1.1</span> Goals</a></h2>
<ul>
<li>Learn how to export flows from a Cisco router</li>
</ul>
<h2 id="notes"><a href="#notes"><span class="header-section-number">1.2</span> Notes</a></h2>
<ul>
<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
</ul>
<h1 id="export-flows-from-a-cisco-router"><a href="#export-flows-from-a-cisco-router"><span class="header-section-number">2</span> Export flows from a Cisco router</a></h1>
<p>You will configure your router to export the same flow data to all PCs in your group.</p>
<h2 id="group-1-router-1"><a href="#group-1-router-1"><span class="header-section-number">2.1</span> Group 1, Router 1</a></h2>
<pre><code>rtr1 ==&gt; pc1 on port 9001
rtr1 ==&gt; pc2 on port 9001
rtr1 ==&gt; pc3 on port 9001
rtr1 ==&gt; pc4 on port 9001</code></pre>
<h2 id="group-2-router-2"><a href="#group-2-router-2"><span class="header-section-number">2.2</span> Group 2, Router 2</a></h2>
<pre><code>rtr2 ==&gt; pc5 on port 9001
rtr2 ==&gt; pc6 on port 9001
rtr2 ==&gt; pc7 on port 9001
rtr2 ==&gt; pc8 on port 9001</code></pre>
<p>etc.</p>
<h1 id="configuring-the-routers"><a href="#configuring-the-routers"><span class="header-section-number">3</span> Configuring the routers</a></h1>
<pre><code>$ ssh cisco@rtrX.ws.nsrc.org
rtrX&gt; enable</code></pre>
<p>or, if ssh is not configured yet:</p>
<pre><code>$ telnet 10.10.1.254
Username: cisco
Password: 
Router1&gt;enable
Password: </code></pre>
<p>The following configures the FastEthernet 0/0 interface to export flows. Replace 10.10.X.A to .D with the IP addresses of the PCs in your group.</p>
<pre><code>rtrX# configure terminal
rtrX(config)# flow exporter EXPORTER-1
rtrX(config-flow-exporter)# description Export to pcA
rtrX(config-flow-exporter)# destination 10.10.X.A
rtrX(config-flow-exporter)# transport udp 9001
rtrX(config-flow-exporter)# template data timeout 300
... repeat for EXPORTER-2 and pcB
... repeat for EXPORTER-3 and pcC
... repeat for EXPORTER-4 and pcD
rtrX(config-flow-exporter)# flow monitor FLOW-MONITOR-V4
rtrX(config-flow-monitor)# exporter EXPORTER-1
rtrX(config-flow-monitor)# exporter EXPORTER-2
rtrX(config-flow-monitor)# exporter EXPORTER-3
rtrX(config-flow-monitor)# exporter EXPORTER-4
rtrX(config-flow-monitor)# record netflow ipv4 original-input
rtrX(config-flow-monitor)# cache timeout active 300
rtrX(config)# interface FastEthernet 0/0
rtrX(config-if)# ip flow monitor FLOW-MONITOR-V4 input
rtrX(config-if)# ip flow monitor FLOW-MONITOR-V4 output
rtrX(config-if)# exit</code></pre>
<p>Since you have not specified a protocol version for the exported flow records, you get the default which is Netflow v9.</p>
<p>The &quot;cache timeout active 300&quot; command breaks up long-lived flows into 5-minute fragments. If you leave it at the default of 30 minutes your traffic reports will have spikes.</p>
<blockquote>
<p>Aside: to monitor IPv6 flows you would have to create a new flow monitor for IPv6 and attach it to the interface and the existing exporters.</p>
<pre><code>flow monitor FLOW-MONITOR-V6
 exporter EXPORTER-1
 exporter EXPORTER-2
 exporter EXPORTER-3
 exporter EXPORTER-4
 record netflow ipv6 original-input
 cache timeout active 300
interface FastEthernet 0/0
 ipv6 flow monitor FLOW-MONITOR-V6 input
 ipv6 flow monitor FLOW-MONITOR-V6 output</code></pre>
</blockquote>
<p>Also enter the following command:</p>
<pre><code>rtrX(config)# snmp-server ifindex persist</code></pre>
<p>This enables ifIndex persistence globally. This ensures that the ifIndex values are retained during router reboots - also if you add or remove interface modules to your network devices.</p>
<p>Now we'll verify what we've done.</p>
<p>First exit from the configuration session:</p>
<pre><code>rtrX(config)# exit</code></pre>
<pre><code>rtrX# show flow exporter EXPORTER-1
rtrX# show flow exporter EXPORTER-2
etc...
rtrX# show flow monitor FLOW-MONITOR-V4</code></pre>
<p>It's possible to see the individual flows that are active in the router:</p>
<pre><code>rtrX# show flow monitor FLOW-MONITOR-V4 cache</code></pre>
<p>But there will be thousands of individual flows, so that's not useful. Press 'q' to escape from the screen output if necessary.</p>
<p>Instead, group the flows so you can see your &quot;top talkers&quot; (traffic destinations and sources). This is one very long command line:</p>
<pre><code>rtrX# show flow monitor FLOW-MONITOR-V4 cache aggregate ipv4 source address
      ipv4 destination address sort counter bytes top 20</code></pre>
<p>If it all looks good then write your running-config to non-volatile RAM (i.e. the startup-config):</p>
<pre><code>rtrX#wr mem</code></pre>
<p>You can exit from the router now:</p>
<pre><code>rtrX#exit</code></pre>
<p>Make sure we have the tcpdump tool installed:</p>
<pre><code>$ sudo apt-get install tcpdump</code></pre>
<p>Now verify that flows are arriving from your router to your PC:</p>
<pre><code>$ sudo tcpdump -i eth0 -nn -Tcnfp port 9001</code></pre>
<p>Wait a few seconds and you should see something that looks like:</p>
<pre><code>06:12:00.953450 IP s2.ws.nsrc.org.54538 &gt; noc.ws.nsrc.org.9009: NetFlow v5, 9222.333 uptime, 1359871921.013782000, #906334, 30 recs
  started 8867.952, last 8867.952
    10.10.0.241/0:0:53 &gt; 10.10.0.250/0:0:49005 &gt;&gt; 0.0.0.0
    udp tos 0, 1 (136 octets) 
  started 8867.952, last 3211591.733
    10.10.0.241/10:0:0 &gt; 0.0.0.0/10:0:4352 &gt;&gt; 0.0.0.0
    ip tos 0, 62 (8867952 octets) 
[...]</code></pre>
<p>These are the UDP packets containing individual flow records.</p>
<p>(Note that the actual output may not be correct, as tcpdump does not decode Netflow properly)</p>
<p>You are done for this lab.</p>
<p>Go to exercise2-install-nfdump-nfsen.</p>
</body>
</html>