Agenda: exercise1-flow-export.txt

File exercise1-flow-export.txt, 6.8 KB (added by admin, 6 years ago)

Line
1	% Monitoring Netflow with NfSen
2	%
3	% Network Monitoring and Management
4
5	# Introduction
6
7	## Goals
8
9	* Learn how to export flows from a Cisco router
10
11	## Notes
12
13	* Commands preceded with "$" imply that you should execute the command as
14	a general user - not as root.
15	* Commands preceded with "#" imply that you should be working as root.
16	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
17	imply that you are executing commands on remote equipment, or within
18	another program.
19
20	# Export flows from a Cisco router
21
22	During this exercise we will ask that you export flows from your router to two
23	PCs in the classroom. You should work together as a group. That is, for group 1,
24	users of pc1, pc2, pc3, pc4 should work together and pick one machine where
25	network flows will arrive.
26
27	In addition, you will export a second flow from your group's router to a PC in
28	the group next to yours. That is, for example, if group 2 has chosen pc5 to be
29	the PC that receives flows, then the second flow you export will go to pc5. And,
30	if you chose pc1 to receive flows from router 1 (rtr1), then it should, also,
31	receive flows from router 2 (rtr2):
32
33	These exercises work on the example of doing the following:
34
35	Group 1, Router 1
36	-----------------
37	rtr1 ==> pc1 on port 9001
38	rtr1 ==> pc5 on port 9002
39
40	Group 2, Router 2
41	-----------------
42	rtr2 ==> pc5 on port 9001
43	rtr2 ==> pc1 on port 9002
44
45	You may select the combination that works for your groups.
46
47	Here are the groups that should work together:
48
49	* group 1 and 2
50	* group 3 and 4
51	* group 5 and 6
52	* group 7 and 8
53
54	If there is a group 9 please see the instructors.
55
56	If you had three groups, you could do:
57
58	rtr1 ==> pc1 port 9001
59	rtr1 ==> pc5 port 9001
60
61	rtr2 ==> pc5 port 9002
62	rtr2 ==> pc9 port 9001
63
64	rtr3 ==> pc9 port 9002
65	rtr3 ==> pc1 port 9002
66
67	... just make sure to follow the rule:
68
69	- every router exports to two destinations: one in your group, one in another
70	- every designated PC in the group should receive two exports: one from your
71	group, one from another
72
73	# Configuring the routers
74
75	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
76	$ ssh cisco@rtr1.ws.nsrc.org
77	rtr1.ws.nsrc.org> enable
78	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79
80	or, if ssh is not configured yet:
81
82	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83	$ telnet 10.10.1.254
84	Username: cisco
85	Password:
86	Router1>enable
87	Password:
88	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89
90	Remember - This is an EXAMPLE for the following situation:
91
92	rtr1 ==> pc1 on port 9001
93	rtr1 ==> pc5 on port 9002
94
95	Group 2, 3, 4, 5, 6, 7, 8 and 9 will do something different.
96
97	The following configures the FastEthernet 0/0 interface to export flows.
98
99	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
100	rtr1.ws.nsrc.org# configure terminal
101	rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
102	rtr1.ws.nsrc.org(config-if)# ip flow ingress
103	rtr1.ws.nsrc.org(config-if)# ip flow egress
104	rtr1.ws.nsrc.org(config-if)# exit
105	rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9001
106	rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.2.5 9002
107	rtr1.ws.nsrc.org(config)# ip flow-export version 5
108	rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
109	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110
111	This breaks up long-lived flows into 5-minute fragments. You can
112	choose any number of minutes between 1 and 60. If you leave it at
113	the default of 30 minutes your traffic reports will have spikes.
114
115	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
116	rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
117	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
118
119	This enables ifIndex persistence globally. This ensures that the
120	ifIndex values are retained during router reboots - also if you add
121	or remove interface modules to your network devices.
122
123	Now configure how you want the ip flow top-talkers to work:
124
125	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
126	rtr1.ws.nsrc.org(config)#ip flow-top-talkers
127	rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
128	rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
129	rtr1.ws.nsrc.org(config-flow-top-talkers)#end
130	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
131
132	Now we'll verify what we've done.
133
134	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135	rtr1.ws.nsrc.org# show ip flow export
136	rtr1.ws.nsrc.org# show ip cache flow
137	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138
139	Note the packet size distribution - what are the two most common packet
140	sizes ?
141
142	See your "top talkers" across your router interfaces
143
144	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
145	rtr1.ws.nsrc.org# show ip flow top-talkers
146	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147
148	If it all looks good then write your running-config to non-volatile
149	RAM (i.e. the startup-config):
150
151	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
152	rtr1.ws.nsrc.org#wr mem
153	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
154
155	You can exit from the router now:
156
157	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
158	rtr1.ws.nsrc.org#exit
159	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
160
161	Verify that flows are arriving from your router to the PC chosen to receive
162	flows in your group:
163
164	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
165	$ sudo tcpdump -Tcnfp port 9001
166	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
167
168	Wait a few seconds and you should see something that looks like:
169
170	06:12:00.953450 IP s2.ws.nsrc.org.54538 > noc.ws.nsrc.org.9009: NetFlow v5, 9222.333 uptime, 1359871921.013782000, #906334, 30 recs
171	started 8867.952, last 8867.952
172	10.10.0.241/0:0:53 > 10.10.0.250/0:0:49005 >> 0.0.0.0
173	udp tos 0, 1 (136 octets)
174	started 8867.952, last 3211591.733
175	10.10.0.241/10:0:0 > 0.0.0.0/10:0:4352 >> 0.0.0.0
176	ip tos 0, 62 (8867952 octets)
177	[...]
178
179	If you are using Netflow v9, do note that the above output may not be
180	correct, as the tcpdump in this version of Ubuntu does not decode Netflow
181	v9 properly.
182
183	Verify that flows are arriving from the router in the group next to you to
184	the PC chosen to receive flows in your group (you may have to wait until
185	the group next to you is ready and exporting flows to your PC):
186
187	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
188	$ sudo tcpdump -Tcnfp port 9002
189	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
190
191	You are done for this lab.
192
193	Move on to exercise3-NfSen-PortTracker if NfSen is already installed.
194
195	Otherwise, go to exercise2-install-nfdump-nfsen.