1 Introduction

1.1 Goals

• Learn how to export flows from a Cisco router

1.2 Notes

• Commands preceded with "$" imply that you should execute the command as a general user - not as root.
• Commands preceded with "#" imply that you should be working as root.
• Commands with more specific command lines (e.g. "rtrX>" or "mysql>") imply that you are executing commands on remote equipment, or within another program.

2 Export flows from a Cisco router

You will configure your router to export the flow data to the VM in your group.

3 Configuring the routers

The following configures the FastEthernet 0/1 interface to export flows. Replace 10.10.0.X with the IP address of your group's virtual machine.

! On your BORDER router
flow exporter EXPORTER-1
  description Export to VM
  destination 10.10.0.X      << replace X with group number
  transport udp 9001
  template data timeout 60
flow monitor FLOW-MONITOR-V4
  exporter EXPORTER-1
  record netflow ipv4 original-input
  cache timeout active 300
interface FastEthernet 0/1
  ip flow monitor FLOW-MONITOR-V4 input
  ip flow monitor FLOW-MONITOR-V4 output

Why are we applying this to the 0/1 (inside) interface? So that our Netflow records show the internal addresses before they are NAT'd.

Since you have not specified a protocol version for the exported flow records, you get the default which is Netflow v9.

The "cache timeout active 300" command breaks up long-lived flows into 5-minute fragments. If you leave it at the default of 30 minutes your traffic reports will have spikes.

Also enter the following command:

snmp-server ifindex persist

This enables ifIndex persistence globally. This ensures that the ifIndex values are retained during router reboots - also if you add or remove interface modules to your network devices.

It is possible to export flows to multiple destinations; you can create EXPORTER-2, EXPORTER-3 etc and list them all under FLOW-MONITOR-V4.

To monitor IPv6 flows you would have to create a new flow monitor for IPv6 and attach it to the interface and the existing exporters.

flow monitor FLOW-MONITOR-V6
  exporter EXPORTER-1
  record netflow ipv6 original-input
  cache timeout active 300
interface FastEthernet 0/1
  ipv6 flow monitor FLOW-MONITOR-V6 input
  ipv6 flow monitor FLOW-MONITOR-V6 output

Now we'll verify what we've done.

First exit from the configuration session:

exit

Then use these commands:

groupX-border# show flow exporter EXPORTER-1
groupX-border# show flow monitor FLOW-MONITOR-V4

It's possible to see the individual flows that are active in the router:

groupX-border# show flow monitor FLOW-MONITOR-V4 cache

But on a busy router there will be thousands of individual flows, so that's not useful. Press 'q' to escape from the screen output if necessary.

Instead, group the flows so you can see your "top talkers" (traffic destinations and sources). This is one very long command line:

groupX-border# show flow monitor FLOW-MONITOR-V4 cache aggregate ipv4 source address
      ipv4 destination address sort counter bytes top 20

If it all looks good then write your running-config to non-volatile RAM (i.e. the startup-config):

groupX-border#wr mem

You can exit from the router now:

groupX-border#exit

To check flow packets are arriving at your VM you can use tcpdump:

$ sudo apt-get install tcpdump
$ sudo tcpdump -i eth0 -nn udp port 9001

Wait a few seconds and you should see packets arriving. These are the UDP packets containing individual flow records.

OPTIONAL: you can use tshark (the text version of wireshark), which is able to fully decode Netflow v9 packets:

$ sudo apt-get install tshark
$ sudo tshark -i eth0 -nnV -s0 -d udp.port==9001,cflow udp port 9001

You are done for this lab.

Go to exercise2-install-nfdump-nfsen.