Context Navigation

Back to Agenda

Agenda: exercise1-flow-export.htm

File exercise1-flow-export.htm, 6.2 KB (added by admin, 5 years ago)

Line
1	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2	<html xmlns="http://www.w3.org/1999/xhtml">
3	<head>
4	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5	<meta http-equiv="Content-Style-Type" content="text/css" />
6	<meta name="generator" content="pandoc" />
7	<title>Monitoring Netflow with NfSen</title>
8	<style type="text/css">code{white-space: pre;}</style>
9	<link rel="stylesheet" href="http://noc.ws.nsrc.org/css/style.css" type="text/css" />
10	</head>
11	<body>
12	<div id="header">
13	<h1 class="title">Monitoring Netflow with NfSen</h1>
14	</div>
15	<div id="TOC">
16	<ul>
17	<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
18	<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
19	<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
20	</ul></li>
21	<li><a href="#export-flows-from-a-cisco-router"><span class="toc-section-number">2</span> Export flows from a Cisco router</a><ul>
22	<li><a href="#group-1-router-1"><span class="toc-section-number">2.1</span> Group 1, Router 1</a></li>
23	<li><a href="#group-2-router-2"><span class="toc-section-number">2.2</span> Group 2, Router 2</a></li>
24	</ul></li>
25	<li><a href="#configuring-the-routers"><span class="toc-section-number">3</span> Configuring the routers</a></li>
26	</ul>
27	</div>
28	<h1 id="introduction"><a href="#introduction"><span class="header-section-number">1</span> Introduction</a></h1>
29	<h2 id="goals"><a href="#goals"><span class="header-section-number">1.1</span> Goals</a></h2>
30	<ul>
31	<li>Learn how to export flows from a Cisco router</li>
32	</ul>
33	<h2 id="notes"><a href="#notes"><span class="header-section-number">1.2</span> Notes</a></h2>
34	<ul>
35	<li>Commands preceded with "$" imply that you should execute the command as a general user - not as root.</li>
36	<li>Commands preceded with "#" imply that you should be working as root.</li>
37	<li>Commands with more specific command lines (e.g. "rtrX>" or "mysql>") imply that you are executing commands on remote equipment, or within another program.</li>
38	</ul>
39	<h1 id="export-flows-from-a-cisco-router"><a href="#export-flows-from-a-cisco-router"><span class="header-section-number">2</span> Export flows from a Cisco router</a></h1>
40	<p>We will ask that you work in pairs: e.g. for group 1 one pair will be pc1/pc2 and the other pair will be pc3/pc4. (If there are only three people in your group then the third person will do it all by themselves)</p>
41	<p>Because your Cisco router can only export flows to two destinations simultaneously, we will use the following configuration:</p>
42	<h2 id="group-1-router-1"><a href="#group-1-router-1"><span class="header-section-number">2.1</span> Group 1, Router 1</a></h2>
43	<pre><code>rtr1 ==> pc1 on port 9001
44	rtr1 ==> pc3 on port 9001</code></pre>
45	<h2 id="group-2-router-2"><a href="#group-2-router-2"><span class="header-section-number">2.2</span> Group 2, Router 2</a></h2>
46	<pre><code>rtr2 ==> pc5 on port 9001
47	rtr2 ==> pc7 on port 9001</code></pre>
48	<p>etc. Therefore flows will only arrive at the first PC in each pair. However, when nfsen is installed, both people can point their web browser to the first PC.</p>
49	<h1 id="configuring-the-routers"><a href="#configuring-the-routers"><span class="header-section-number">3</span> Configuring the routers</a></h1>
50	<pre><code>$ ssh cisco@rtrX.ws.nsrc.org
51	rtrX> enable</code></pre>
52	<p>or, if ssh is not configured yet:</p>
53	<pre><code>$ telnet 10.10.1.254
54	Username: cisco
55	Password:
56	Router1>enable
57	Password: </code></pre>
58	<p>The following configures the FastEthernet 0/0 interface to export flows. Replace 10.10.X.Y with the IP address of the PC in your pair which is going to receive them.</p>
59	<pre><code>rtrX# configure terminal
60	rtrX(config)# interface FastEthernet 0/0
61	rtrX(config-if)# ip flow ingress
62	rtrX(config-if)# ip flow egress
63	rtrX(config-if)# exit
64	rtrX(config)# ip flow-export destination 10.10.X.Y 9001
65	rtrX(config)# ip flow-export destination 10.10.X.Z 9001
66	rtrX(config)# ip flow-export version 5
67	rtrX(config)# ip flow-cache timeout active 5</code></pre>
68	<p>The last command breaks up long-lived flows into 5-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.</p>
69	<pre><code>rtrX(config)# snmp-server ifindex persist</code></pre>
70	<p>This enables ifIndex persistence globally. This ensures that the ifIndex values are retained during router reboots - also if you add or remove interface modules to your network devices.</p>
71	<p>Now configure how you want the ip flow top-talkers to work:</p>
72	<pre><code>rtrX(config)#ip flow-top-talkers
73	rtrX(config-flow-top-talkers)#top 20
74	rtrX(config-flow-top-talkers)#sort-by bytes
75	rtrX(config-flow-top-talkers)#end</code></pre>
76	<p>Now we'll verify what we've done.</p>
77	<pre><code>rtrX# show ip flow export
78	rtrX# show ip cache flow</code></pre>
79	<p>Note the packet size distribution - what are the two most common packet sizes ?</p>
80	<p>See your "top talkers" across your router interfaces</p>
81	<pre><code>rtrX# show ip flow top-talkers</code></pre>
82	<p>If it all looks good then write your running-config to non-volatile RAM (i.e. the startup-config):</p>
83	<pre><code>rtrX#wr mem</code></pre>
84	<p>You can exit from the router now:</p>
85	<pre><code>rtrX#exit</code></pre>
86	<p>Verify that flows are arriving from your router to the PC chosen to receive flows in your group:</p>
87	<pre><code>$ sudo tcpdump -Tcnfp port 9001</code></pre>
88	<p>Wait a few seconds and you should see something that looks like:</p>
89	<p>06:12:00.953450 IP s2.ws.nsrc.org.54538 > noc.ws.nsrc.org.9009: NetFlow v5, 9222.333 uptime, 1359871921.013782000, #906334, 30 recs started 8867.952, last 8867.952 10.10.0.241/0:0:53 > 10.10.0.250/0:0:49005 >> 0.0.0.0 udp tos 0, 1 (136 octets) started 8867.952, last 3211591.733 10.10.0.241/10:0:0 > 0.0.0.0/10:0:4352 >> 0.0.0.0 ip tos 0, 62 (8867952 octets) [...]</p>
90	<p>These are the UDP packets containing individual flow records.</p>
91	<p>If you are using Netflow v9, do note that the above output may not be correct, as the tcpdump in this version of Ubuntu does not decode Netflow v9 properly.</p>
92	<p>You are done for this lab.</p>
93	<p>Go to exercise2-install-nfdump-nfsen.</p>
94	</body>
95	</html>

Download in other formats:

Original Format