How to Configure Netflow with NfSen

****Monitoring Netflow with NfSen****

Important Notes:
* Commands preceded with “$” imply that you should execute the command as a general user – not as root.
* Commands preceded with “#” imply that you should be working as root.
* Commands with more specific command lines (e.g. “RTR-GW>” or “mysql>”) imply that you are executing commands on remote equipment, or within another program.
# Export flows from a Cisco router
During this exercise we will ask that you export flows from your router to two PCs in the classroom. You should work together as a group. That is, for group 1, users of pc1, pc2, pc3, pc4 should work together and pick one machine where network flows will arrive. In addition, you will export a second flow from your group’s router to a PC in the group next to yours. That is, for example, if group 2 has chosen pc5 to be the PC that receives flows, then the second flow you export will go to pc5. And, if you chose pc1 to receive flows from router 1 (rtr1), then it should, also, receive flows from router 2 (rtr2):

These exercises work on the example of doing the following:
Group 1, Router 1
—————–
rtr1 ==> pc1 on port 9001
rtr1 ==> pc5 on port 9002
Group 2, Router 2
—————–
rtr2 ==> pc5 on port 9001
rtr2 ==> pc1 on port 9002
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ssh cisco@rtr1.ws.gpontutorials.com
rtr1.ws.gpontutorials.com> enable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
or, if ssh is not configured yet:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ telnet 10.10.1.54
Username: cisco
Password:
Router1>enable
Password:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remember – This is an EXAMPLE for the following situation:
rtr1 ==> pc1 on port 9001
rtr1 ==> pc5 on port 9002
The following configures the FastEthernet 0/0 interface to export flows.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com# configure terminal
rtr1.ws.gpontutorials.com(config)# interface FastEthernet 0/0
rtr1.ws.gpontutorials.com(config-if)# ip flow ingress
rtr1.ws.gpontutorials.com(config-if)# ip flow egress
rtr1.ws.gpontutorials.com(config-if)# exit
rtr1.ws.gpontutorials.com(config)# ip flow-export destination 10.10.1.1 9001
rtr1.ws.gpontutorials.com(config)# ip flow-export destination 10.10.2.5 9002
rtr1.ws.gpontutorials.com(config)# ip flow-export version 5
rtr1.ws.gpontutorials.com(config)# ip flow-cache timeout active 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This breaks up long-lived flows into 5-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com(config)# snmp-server ifindex persist
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This enables ifIndex persistence globally. This ensures that the ifIndex values are retained during router reboots – also if you add or remove interface modules to your network devices. Now configure how you want the ip flow top-talkers to work:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com(config)#ip flow-top-talkers
rtr1.ws.gpontutorials.com(config-flow-top-talkers)#top 20
rtr1.ws.gpontutorials.com(config-flow-top-talkers)#sort-by bytes
rtr1.ws.gpontutorials.com(config-flow-top-talkers)#end
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now we’ll verify what we’ve done.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com# show ip flow export
rtr1.ws.gpontutorials.com# show ip cache flow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
See your “top talkers” across your router interfaces
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com# show ip flow top-talkers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If it all looks good then write your running-config to non-volatile
RAM (i.e. the startup-config):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com#wr mem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can exit from the router now:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rtr1.ws.gpontutorials.com#exit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Verify that flows are arriving from your router to the PC chosen to receive flows in your group:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo tcpdump -Tcnfp port 9001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wait a few seconds and you should see something that looks like:
06:12:00.953450 IP s2.ws.gpontutorials.com.54538 > noc.ws.gpontutorials.com.9009: NetFlow v5,
9222.333 uptime, 1359871921.013782000, #906334, 30 recs
started 8867.952, last 8867.952
10.10.0.241/0:0:53 > 10.10.0.250/0:0:49005 >> 0.0.0.0
udp tos 0, 1 (136 octets)
started 8867.952, last 3211591.733
10.10.0.241/10:0:0 > 0.0.0.0/10:0:4352 >> 0.0.0.0
ip tos 0, 62 (8867952 octets)
[…]
If you are using Netflow v9, do note that the above output may not be correct, as the tcpdump in this version of Ubuntu does not decode Netflow v9 properly. Verify that flows are arriving from the router in the group next to you to the PC chosen to receive flows in your group (you may have to wait until the group next to you is ready and exporting flows to your PC):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo tcpdump -Tcnfp port 9002
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

***Congratulations!! You have done the Configuration***

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*


For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.