Agenda: exercise1-flow-export.htm

File exercise1-flow-export.htm, 12.5 KB (added by Chris Elliott, 6 years ago)
Line 
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html xmlns="http://www.w3.org/1999/xhtml">
3<head>
4  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5  <meta http-equiv="Content-Style-Type" content="text/css" />
6  <meta name="generator" content="pandoc" />
7  <title>Monitoring Netflow with NfSen</title>
8  <style type="text/css">code{white-space: pre;}</style>
9  <link href="data:text/css;charset=utf-8,%0A%0A%0A%0Adiv%23header%2C%20header%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%2Etitle%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%2Eauthor%2C%20%2Edate%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%40media%20print%0A%7B%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0A%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0Afont%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%0A%0Apage%2Dbreak%2Dafter%3A%20avoid%3B%20%0A%7D%0A%0Adiv%20div%2C%20section%20section%20%0A%7B%0Amargin%2Dleft%3A%202em%3B%20%0A%7D%0Ap%20%7B%7D%0Ablockquote%0A%7B%20font%2Dstyle%3A%20italic%3B%0A%7D%0Ali%20%0A%7B%0A%7D%0Ali%20%3E%20p%20%0A%7B%0Amargin%2Dtop%3A%201em%3B%20%0A%7D%0Aul%20%0A%7B%0A%7D%0Aul%20li%20%0A%7B%0A%7D%0Aol%20%0A%7B%0A%7D%0Aol%20li%20%0A%7B%0A%7D%0Ahr%20%7B%7D%0A%0Asub%20%0A%7B%0A%7D%0Asup%20%0A%7B%0A%7D%0Aem%20%0A%7B%0A%7D%0Aem%20%3E%20em%20%0A%7B%0Afont%2Dstyle%3A%20normal%3B%0A%7D%0Astrong%20%0A%7B%0A%7D%0A%0Aa%20%0A%7B%0A%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0A%40media%20screen%0A%7B%0Aa%3Ahover%0A%7B%0A%0Atext%2Ddecoration%3A%20underline%3B%0A%7D%0A%7D%0A%40media%20print%0A%7B%0Aa%20%7B%0A%0Acolor%3A%20black%3B%0Abackground%3A%20transparent%3B%0A%7D%0Aa%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%7B%0A%0Acontent%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0Afont%2Dsize%3A%2090%25%3B%0A%7D%0A%7D%0A%0Aimg%0A%7B%0A%0Avertical%2Dalign%3A%20middle%3B%0A%7D%0Adiv%2Efigure%20%0A%7B%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0Atext%2Dalign%3A%20center%3B%0Afont%2Dstyle%3A%20italic%3B%0A%7D%0Ap%2Ecaption%20%0A%7B%0A%0A%7D%0A%0Apre%2C%20code%20%7B%0Abackground%2Dcolor%3A%20%23fdf7ee%3B%0A%0A%0A%0Awhite%2Dspace%3A%20pre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%0Awhite%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%0Aword%2Dwrap%3A%20break%2Dword%3B%20%0A%0A%7D%0Apre%20%0A%7B%0A%0Apadding%3A%200%2E5em%3B%20%0Aborder%2Dradius%3A%205px%3B%20%0A%0Aborder%3A%201px%20solid%20%23aaa%3B%0A%0Amargin%2Dleft%3A%200%2E5em%3B%0Amargin%2Dright%3A%200%2E5em%3B%0A%7D%0A%40media%20screen%0A%7B%0Apre%0A%7B%0A%0Awhite%2Dspace%3A%20pre%3B%0Aoverflow%3A%20auto%3B%0A%0Aborder%3A%201px%20dotted%20%23777%3B%0A%7D%0A%7D%0Acode%20%0A%7B%0A%7D%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%0A%7B%0A%0Apadding%2Dleft%3A%202px%3B%0Apadding%2Dright%3A%202px%3B%0A%7D%0Ali%20%3E%20p%20code%20%0A%7B%0A%0Apadding%3A%202px%3B%0A%7D%0A%0Aspan%2Emath%20%0A%7B%0A%0A%7D%0Adiv%2Emath%20%0A%7B%0A%7D%0Aspan%2ELaTeX%20%0A%7B%0A%7D%20eq%20%0A%7B%0A%7D%20%0A%0Atable%0A%7B%0Aborder%2Dcollapse%3A%20collapse%3B%0Aborder%2Dspacing%3A%200%3B%20%0Aborder%2Dbottom%3A%202pt%20solid%20%23000%3B%0Aborder%2Dtop%3A%202pt%20solid%20%23000%3B%20%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0A%7D%0Athead%20%0A%7B%0Aborder%2Dbottom%3A%201pt%20solid%20%23000%3B%0Abackground%2Dcolor%3A%20%23eee%3B%20%0A%7D%0Atr%2Eheader%20%0A%7B%0A%7D%20tbody%20%0A%7B%0A%7D%0A%0Atr%20%7B%0A%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%0A%7B%0Abackground%2Dcolor%3A%20%23eee%3B%0A%7D%0A%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0Atd%2C%20th%20%0A%7B%20vertical%2Dalign%3A%20top%3B%20%0Avertical%2Dalign%3A%20baseline%3B%20%0Apadding%2Dleft%3A%200%2E5em%3B%0Apadding%2Dright%3A%200%2E5em%3B%0Apadding%2Dtop%3A%200%2E2em%3B%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0A%0Ath%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%20%7D%0Atfoot%20%0A%7B%0A%7D%0Acaption%20%0A%7B%0Acaption%2Dside%3A%20top%3B%0Aborder%3A%20none%3B%0Afont%2Dsize%3A%200%2E9em%3B%0Afont%2Dstyle%3A%20italic%3B%0Atext%2Dalign%3A%20center%3B%0Amargin%2Dbottom%3A%200%2E3em%3B%20%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0Adl%20%0A%7B%0Aborder%2Dtop%3A%202pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0Aborder%2Dbottom%3A%202pt%20solid%20black%3B%0A%7D%0Adt%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%0A%7D%0Add%2Bdt%20%0A%7B%0Aborder%2Dtop%3A%201pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0A%7D%0Add%20%0A%7B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0Add%2Bdd%20%0A%7B%0Aborder%2Dtop%3A%201px%20solid%20black%3B%20%0A%7D%0A%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%0Afont%2Dsize%3A%20small%3B%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%7D%0A%40media%20print%0A%7B%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0Adiv%2Efootnotes%20%0A%7B%0A%7D%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%0A%7B%0A%7D%0A%0A%40media%20print%0A%7B%0A%2Enoprint%0A%7B%0Adisplay%3Anone%3B%0A%7D%0A%7D%0A" rel="stylesheet" type="text/css" />
10</head>
11<body>
12<div id="header">
13<h1 class="title">Monitoring Netflow with NfSen</h1>
14<h3 class="date">Network Monitoring and Management</h3>
15</div>
16<div id="TOC">
17<ul>
18<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
19<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
20<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
21</ul></li>
22<li><a href="#export-flows-from-a-cisco-router"><span class="toc-section-number">2</span> Export flows from a Cisco router</a><ul>
23<li><a href="#group-1-router-1"><span class="toc-section-number">2.1</span> Group 1, Router 1</a></li>
24<li><a href="#group-2-router-2"><span class="toc-section-number">2.2</span> Group 2, Router 2</a></li>
25</ul></li>
26<li><a href="#configuring-the-routers"><span class="toc-section-number">3</span> Configuring the routers</a></li>
27</ul>
28</div>
29<h1 id="introduction"><span class="header-section-number">1</span> Introduction</h1>
30<h2 id="goals"><span class="header-section-number">1.1</span> Goals</h2>
31<ul>
32<li>Learn how to export flows from a Cisco router</li>
33</ul>
34<h2 id="notes"><span class="header-section-number">1.2</span> Notes</h2>
35<ul>
36<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
37<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
38<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
39</ul>
40<h1 id="export-flows-from-a-cisco-router"><span class="header-section-number">2</span> Export flows from a Cisco router</h1>
41<p>You will configure your router to export the same flow data to all PCs in your group.</p>
42<h2 id="group-1-router-1"><span class="header-section-number">2.1</span> Group 1, Router 1</h2>
43<pre><code>rtr1 ==&gt; pc1 on port 9001
44rtr1 ==&gt; pc2 on port 9001
45rtr1 ==&gt; pc3 on port 9001
46rtr1 ==&gt; pc4 on port 9001</code></pre>
47<h2 id="group-2-router-2"><span class="header-section-number">2.2</span> Group 2, Router 2</h2>
48<pre><code>rtr2 ==&gt; pc5 on port 9001
49rtr2 ==&gt; pc6 on port 9001
50rtr2 ==&gt; pc7 on port 9001
51rtr2 ==&gt; pc8 on port 9001</code></pre>
52<p>etc.</p>
53<h1 id="configuring-the-routers"><span class="header-section-number">3</span> Configuring the routers</h1>
54<pre><code>$ ssh cisco@rtrX.ws.nsrc.org
55rtrX&gt; enable</code></pre>
56<p>or, if ssh is not configured yet:</p>
57<pre><code>$ telnet 10.10.1.254
58Username: cisco
59Password:
60Router1&gt;enable
61Password: </code></pre>
62<p>The following configures the FastEthernet 0/0 interface to export flows. Replace 10.10.X.A to .D with the IP addresses of the PCs in your group.</p>
63<pre><code>rtrX# configure terminal
64rtrX(config)#
65
66flow exporter EXPORTER-1
67 description Export to pcA
68 destination 10.10.X.A
69 transport udp 9001
70 template data timeout 60
71
72flow exporter EXPORTER-2
73 description Export to pcB
74 destination 10.10.X.B
75 transport udp 9001
76 template data timeout 60
77
78flow exporter EXPORTER-3
79 description Export to pcC
80 destination 10.10.X.C
81 transport udp 9001
82 template data timeout 60
83
84flow exporter EXPORTER-4
85 description Export to pcD
86 destination 10.10.X.D
87 transport udp 9001
88 template data timeout 60
89
90flow monitor FLOW-MONITOR-V4
91 exporter EXPORTER-1
92 exporter EXPORTER-2
93 exporter EXPORTER-3
94 exporter EXPORTER-4
95 record netflow ipv4 original-input
96 cache timeout active 300
97
98interface FastEthernet 0/0
99 ip flow monitor FLOW-MONITOR-V4 input
100 ip flow monitor FLOW-MONITOR-V4 output
101
102snmp-server ifindex persist</code></pre>
103<p>Since you have not specified a protocol version for the exported flow records, you get the default which is Netflow v9.</p>
104<p>Netflow v9 packets cannot be decoded by the receiver until it has received a template packet. The command <code>template data timeout 60</code> tells the router to send it every 60 seconds, to make the lab exercises work more quickly. (In production a value of 300 is fine).</p>
105<p>The <code>cache timeout active 300</code> command breaks up long-lived flows into 5-minute fragments. If you leave it at the default of 30 minutes your traffic graphs will have spikes.</p>
106<blockquote>
107<p>Aside: if you want to monitor IPv6 flows you would have to create a new flow monitor for IPv6 and attach it to the interface and the existing exporters.</p>
108<pre><code>flow monitor FLOW-MONITOR-V6
109 exporter EXPORTER-1
110 exporter EXPORTER-2
111 exporter EXPORTER-3
112 exporter EXPORTER-4
113 record netflow ipv6 original-input
114 cache timeout active 300
115interface FastEthernet 0/0
116 ipv6 flow monitor FLOW-MONITOR-V6 input
117 ipv6 flow monitor FLOW-MONITOR-V6 output</code></pre>
118</blockquote>
119<p>The command <code>snmp-server ifindex persist</code> enables ifIndex persistence globally. This ensures that the ifIndex values are retained during router reboots - also if you add or remove interface modules to your network devices.</p>
120<p>Now we'll verify what we've done.</p>
121<p>First exit from the configuration session:</p>
122<pre><code>rtrX(config)# end</code></pre>
123<pre><code>rtrX# show flow exporter EXPORTER-1
124rtrX# show flow exporter EXPORTER-2
125etc...
126rtrX# show flow monitor FLOW-MONITOR-V4</code></pre>
127<p>It's possible to see the individual flows that are active in the router:</p>
128<pre><code>rtrX# show flow monitor FLOW-MONITOR-V4 cache</code></pre>
129<p>But on a busy router there will be thousands of individual flows, so that's not useful. Press 'q' to escape from the screen output if necessary.</p>
130<p>Instead, group the flows so you can see your &quot;top talkers&quot; (traffic destinations and sources). This is one very long command line:</p>
131<pre><code>rtrX# show flow monitor FLOW-MONITOR-V4 cache aggregate ipv4 source address
132      ipv4 destination address sort counter bytes top 20</code></pre>
133<p>If it all looks good then write your running-config to non-volatile RAM (i.e. the startup-config):</p>
134<pre><code>rtrX#wr mem</code></pre>
135<p>You can exit from the router now:</p>
136<pre><code>rtrX#exit</code></pre>
137<p>Make sure we have the tcpdump tool installed:</p>
138<pre><code>$ sudo apt-get install tcpdump</code></pre>
139<p>Now verify that flows are arriving from your router to your PC:</p>
140<pre><code>$ sudo tcpdump -i eth0 -nn -Tcnfp port 9001</code></pre>
141<p>Wait a few seconds and you should see something that looks like:</p>
142<pre><code>06:12:00.953450 IP s2.ws.nsrc.org.54538 &gt; noc.ws.nsrc.org.9009: NetFlow v5, 9222.333 uptime, 1359871921.013782000, #906334, 30 recs
143  started 8867.952, last 8867.952
144    10.10.0.241/0:0:53 &gt; 10.10.0.250/0:0:49005 &gt;&gt; 0.0.0.0
145    udp tos 0, 1 (136 octets)
146  started 8867.952, last 3211591.733
147    10.10.0.241/10:0:0 &gt; 0.0.0.0/10:0:4352 &gt;&gt; 0.0.0.0
148    ip tos 0, 62 (8867952 octets)
149[...]</code></pre>
150<p>These are the UDP packets containing individual flow records.</p>
151<p>(Note that the actual output may not be correct, as tcpdump does not decode Netflow properly)</p>
152<p>OPTIONAL: you can use tshark (the text version of wireshark), which is able to fully decode Netflow v9 packets:</p>
153<pre><code>$ sudo apt-get install tshark
154$ sudo tshark -i eth0 -nnV -s0 -d udp.port==9001,cflow udp port 9001</code></pre>
155<p>You are done for this lab.</p>
156<p>Go to exercise2-install-nfdump-nfsen.</p>
157</body>
158</html>