Agenda: exercise1-flow-export.txt

File exercise1-flow-export.txt, 6.8 KB (added by admin, 6 years ago)
Line 
1% Monitoring Netflow with NfSen
2%
3% Network Monitoring and Management
4
5# Introduction
6
7## Goals
8
9* Learn how to export flows from a Cisco router
10
11## Notes
12
13* Commands preceded with "$" imply that you should execute the command as
14  a general user - not as root.
15* Commands preceded with "#" imply that you should be working as root.
16* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
17  imply that you are executing commands on remote equipment, or within
18  another program.
19
20# Export flows from a Cisco router
21
22During this exercise we will ask that you export flows from your router to two
23PCs in the classroom. You should work together as a group. That is, for group 1,
24users of pc1, pc2, pc3, pc4 should work together and pick one machine where
25network flows will arrive.
26
27In addition, you will export a second flow from your group's router to a PC in
28the group next to yours. That is, for example, if group 2 has chosen pc5 to be
29the PC that receives flows, then the second flow you export will go to pc5. And,
30if you chose pc1 to receive flows from router 1 (rtr1), then it should, also,
31receive flows from router 2 (rtr2):
32
33These exercises work on the example of doing the following:
34
35Group 1, Router 1
36-----------------
37rtr1 ==> pc1 on port 9001
38rtr1 ==> pc5 on port 9002
39
40Group 2, Router 2
41-----------------
42rtr2 ==> pc5 on port 9001
43rtr2 ==> pc1 on port 9002
44
45You may select the combination that works for your groups.
46
47Here are the groups that should work together:
48
49* group 1 and 2
50* group 3 and 4
51* group 5 and 6
52* group 7 and 8
53
54If there is a group 9 please see the instructors.
55
56If you had three groups, you could do:
57
58rtr1 ==> pc1 port 9001
59rtr1 ==> pc5 port 9001
60
61rtr2 ==> pc5 port 9002
62rtr2 ==> pc9 port 9001
63
64rtr3 ==> pc9 port 9002
65rtr3 ==> pc1 port 9002
66
67... just make sure to follow the rule:
68
69- every router exports to two destinations: one in your group, one in another
70- every designated PC in the group should receive two exports: one from your
71  group, one from another
72
73# Configuring the routers
74
75~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
76$ ssh cisco@rtr1.ws.nsrc.org
77rtr1.ws.nsrc.org> enable
78~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79
80or, if ssh is not configured yet:
81
82~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83$ telnet 10.10.1.254
84Username: cisco
85Password:
86Router1>enable
87Password:
88~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89
90Remember - This is an EXAMPLE for the following situation:
91
92rtr1 ==> pc1 on port 9001
93rtr1 ==> pc5 on port 9002
94
95Group 2, 3, 4, 5, 6, 7, 8 and 9 will do something different.
96
97The following configures the FastEthernet 0/0 interface to export flows.
98
99~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
100rtr1.ws.nsrc.org# configure terminal
101rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
102rtr1.ws.nsrc.org(config-if)# ip flow ingress
103rtr1.ws.nsrc.org(config-if)# ip flow egress
104rtr1.ws.nsrc.org(config-if)# exit
105rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9001
106rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.2.5 9002
107rtr1.ws.nsrc.org(config)# ip flow-export version 5
108rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
109~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110
111This breaks up long-lived flows into 5-minute fragments. You can
112choose any number of minutes between 1 and 60. If you leave it at
113the default of 30 minutes your traffic reports will have spikes.
114
115~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
116rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
117~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
118
119This enables ifIndex persistence globally. This ensures that the
120ifIndex values are retained during router reboots - also if you add
121or remove interface modules to your network devices.
122
123Now configure how you want the ip flow top-talkers to work:
124
125~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
126rtr1.ws.nsrc.org(config)#ip flow-top-talkers
127rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
128rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
129rtr1.ws.nsrc.org(config-flow-top-talkers)#end
130~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
131 
132Now we'll verify what we've done.
133
134~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135rtr1.ws.nsrc.org# show ip flow export
136rtr1.ws.nsrc.org# show ip cache flow
137~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138
139Note the packet size distribution - what are the two most common packet
140sizes ?
141
142See your "top talkers" across your router interfaces
143
144~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
145rtr1.ws.nsrc.org# show ip flow top-talkers
146~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147
148If it all looks good then write your running-config to non-volatile
149RAM (i.e. the startup-config):
150
151~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
152rtr1.ws.nsrc.org#wr mem
153~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
154   
155You can exit from the router now:
156
157~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
158rtr1.ws.nsrc.org#exit
159~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
160   
161Verify that flows are arriving from your router to the PC chosen to receive
162flows in your group:
163
164~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
165$ sudo tcpdump -Tcnfp port 9001
166~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
167
168Wait a few seconds and you should see something that looks like:
169
17006:12:00.953450 IP s2.ws.nsrc.org.54538 > noc.ws.nsrc.org.9009: NetFlow v5, 9222.333 uptime, 1359871921.013782000, #906334, 30 recs
171  started 8867.952, last 8867.952
172    10.10.0.241/0:0:53 > 10.10.0.250/0:0:49005 >> 0.0.0.0
173    udp tos 0, 1 (136 octets)
174  started 8867.952, last 3211591.733
175    10.10.0.241/10:0:0 > 0.0.0.0/10:0:4352 >> 0.0.0.0
176    ip tos 0, 62 (8867952 octets)
177[...]
178
179If you are using Netflow v9, do note that the above output may not be
180correct, as the tcpdump in this version of Ubuntu does not decode Netflow
181v9 properly.
182
183Verify that flows are arriving from the router in the group next to you to
184the PC chosen to receive flows in your group (you may have to wait until
185the group next to you is ready and exporting flows to your PC):
186
187~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
188$ sudo tcpdump -Tcnfp port 9002
189~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
190
191You are done for this lab.
192
193Move on to exercise3-NfSen-PortTracker if NfSen is already installed.
194
195Otherwise, go to exercise2-install-nfdump-nfsen.