tech:network:cisco:flexible-netflow:flexible-netflow
Table of Contents
Flexible NetFlow
In this case Using Cisco ISR 1841 15.1(4)M10.
Initial config
Basic Internet Connection.
- R1
en conf t ! no service config no ip domain-lookup ! line console 0 exec-timeout 0 0 logging synchronous exit ! hostname R1 ! int fa0/0 ip addr 172.16.2.1 255.255.255.0 ip nat inside no shut exit int fa0/1 ip addr dhcp ip nat outside no shut exit ! int loopback 0 ip addr 172.16.255.1 255.255.255.255 exit ! line vty 0 15 exec-timeout 0 0 exit ! access-list 1 permit 172.16.2.0 0.0.0.255 ! ip nat inside source list 1 interface f0/1 overload ! end write
- ElastiFlow NetFlow Collector Server
sudo ip route add 172.16.255.1/32 via 172.16.2.1
Verify Initial Configuration
R1#ping 172.16.2.222 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.222, timeout is 2 seconds: Packet sent with a source address of 172.16.255.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Static route installed.
wnoguchi@elastiflow:~$ ip route default via 172.16.2.1 dev ens33 proto static 172.16.2.0/24 dev ens33 proto kernel scope link src 172.16.2.222 172.16.255.1 via 172.16.2.1 dev ens33 proto static
Configuration
Flow Record
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#flow R1(config)#flow reco R1(config)#flow record RECORD1 R1(config-flow-record)#mat R1(config-flow-record)#match ipv R1(config-flow-record)#match ipv4 R1(config-flow-record)#match ipv4 sou R1(config-flow-record)#match ipv4 source add R1(config-flow-record)#match ipv4 source address R1(config-flow-record)#mat R1(config-flow-record)#match ipv4 R1(config-flow-record)#match ipv4 desti R1(config-flow-record)#match ipv4 destination add R1(config-flow-record)#match ipv4 destination address R1(config-flow-record)#mat R1(config-flow-record)#match transpo R1(config-flow-record)#match transport sour R1(config-flow-record)#match transport source-port R1(config-flow-record)#match transport destina R1(config-flow-record)#match transport destination-port R1(config-flow-record)#collec R1(config-flow-record)#collect counter R1(config-flow-record)#collect counter byte R1(config-flow-record)#collect counter bytes R1(config-flow-record)#collec R1(config-flow-record)#collect timesta R1(config-flow-record)#collect timestamp sys-up R1(config-flow-record)#collect timestamp sys-uptime ? first Time the first packet was seen last Time the most recent packet was seen R1(config-flow-record)#collect counter R1(config-flow-record)#collect counter ? bytes Total number of bytes packets Total number of packets R1(config-flow-record)#collect counter pack R1(config-flow-record)#collect counter packets flo R1(config-flow-record)#collect counter packets flow R1(config-flow-record)#collect counter packets R1(config-flow-record)#collect counter R1(config-flow-record)#collect counter by R1(config-flow-record)#collect counter bytes ? long Total number of bytes (64 bit counter) replicated Total number of replicated bytes squared Total of the square of the number of bytes <cr> R1(config-flow-record)#collect inter R1(config-flow-record)#collect interface ? input The input interface output The output interface R1(config-flow-record)#collect interface in R1(config-flow-record)#collect interface input ? <cr> R1(config-flow-record)#collect interface input sn R1(config-flow-record)#collect interface ou R1(config-flow-record)#collect interface output ? <cr> R1(config-flow-record)#collect interface ? input The input interface output The output interface R1(config-flow-record)#exit
R1#sh flow record RECORD1
flow record RECORD1:
Description: User defined
No. of users: 0
Total field space: 20 bytes
Fields:
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets
Flow Exporter
R1(config)#flow exporter EXPORTER1 R1(config-flow-exporter)#destin R1(config-flow-exporter)#destination 172.16.2.222 R1(config-flow-exporter)#sour R1(config-flow-exporter)#source lo R1(config-flow-exporter)#source loo R1(config-flow-exporter)#source loopback 0 R1(config-flow-exporter)#do ping 172.16.2.222 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.222, timeout is 2 seconds: Packet sent with a source address of 172.16.255.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R1(config-flow-exporter)#transpo R1(config-flow-exporter)#transport ud R1(config-flow-exporter)#transport udp 2055 R1(config-flow-exporter)#^Z R1# *Jul 2 23:33:48.823: %SYS-5-CONFIG_I: Configured from console by console
R1#sh flow exporter EXPORTER1
Flow Exporter EXPORTER1:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 172.16.2.222
Source IP address: 172.16.255.1
Source Interface: Loopback0
Transport Protocol: UDP
Destination Port: 2055
Source Port: 53023
DSCP: 0x0
TTL: 255
Output Features: Not Used
Flow Monitor
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#flow moni R1(config)#flow monitor MONITOR1 R1(config-flow-monitor)#recor R1(config-flow-monitor)#record RECOR R1(config-flow-monitor)#record RECORD1 R1(config-flow-monitor)#cach R1(config-flow-monitor)#cache time R1(config-flow-monitor)#cache timeout ac R1(config-flow-monitor)#cache timeout active ? <1-604800> Active timeout in seconds R1(config-flow-monitor)#cache timeout active 300 R1(config-flow-monitor)#cache type R1(config-flow-monitor)#cache type nor R1(config-flow-monitor)#cache type normal R1(config-flow-monitor)#expor R1(config-flow-monitor)#exporter EXPOR R1(config-flow-monitor)#exporter EXPORTER1 R1(config-flow-monitor)#^Z R1# *Jul 2 23:41:00.379: %SYS-5-CONFIG_I: Configured from console by console
R1#sh flow
R1#sh flow monitor
R1#sh flow monitor MONIT
R1#sh flow monitor MONITOR1
Flow Monitor MONITOR1:
Description: User defined
Flow Record: RECORD1
Flow Exporter: EXPORTER1 (inactive)
Cache:
Type: normal
Status: not allocated
Size: 4096 entries / 0 bytes
Inactive Timeout: 15 secs
Active Timeout: 300 secs
Update Timeout: 1800 secs
R1#sh flow monitor MONITOR1
Flow Monitor MONITOR1:
Description: User defined
Flow Record: RECORD1
Flow Exporter: EXPORTER1 (inactive)
Cache:
Type: normal
Status: not allocated
Size: 4096 entries / 0 bytes
Inactive Timeout: 15 secs
Active Timeout: 300 secs
Update Timeout: 1800 secs
Apply Flow Monitor to Interface
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int f0/0 R1(config-if)#ip flow R1(config-if)#ip flow monito R1(config-if)#ip flow monitor MONIT R1(config-if)#ip flow monitor MONITOR1 lay R1(config-if)#ip flow monitor MONITOR1 ? input Apply Flow Monitor on input traffic multicast Apply Flow Monitor on multicast traffic output Apply Flow Monitor on output traffic sampler Optional Sampler to apply to this Flow Monitor unicast Apply Flow Monitor on unicast traffic R1(config-if)#ip flow monitor MONITOR1 inpu R1(config-if)#ip flow monitor MONITOR1 input R1(config-if)#ip flow monitor MONITOR1 input ? <cr> R1(config-if)#ip flow monitor MONITOR1 outpu R1(config-if)#ip flow monitor MONITOR1 output R1(config-if)#^Z R1# *Jul 2 23:58:42.191: %SYS-5-CONFIG_I: Configured from console by console R1#sh run int f0/0 Building configuration... Current configuration : 201 bytes ! interface FastEthernet0/0 ip address 172.16.2.1 255.255.255.0 ip flow monitor MONITOR1 input ip flow monitor MONITOR1 output ip nat inside ip virtual-reassembly in duplex auto speed auto end
R1#sh flow monitor MONITOR1 cache format table
Cache type: Normal
Cache size: 4096
Current entries: 32
High Watermark: 75
Flows added: 289
Flows aged: 257
- Active timeout ( 300 secs) 0
- Inactive timeout ( 15 secs) 257
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT bytes pkts
=============== =============== ============= ============= ========== ==========
172.16.2.123 52.69.69.136 63439 443 2952 38
172.16.2.123 52.69.69.136 63438 443 2952 38
172.16.2.123 108.177.97.189 60105 443 17130 90
172.16.2.123 52.69.69.136 63446 443 3789 52
52.69.69.136 172.16.2.123 443 63446 4601 33
172.16.2.123 45.121.186.11 53377 27018 3104 29
172.16.2.123 52.69.69.136 63447 443 3789 52
52.69.69.136 172.16.2.123 443 63447 4603 33
108.177.97.189 172.16.2.123 443 60105 11437 123
52.69.69.136 172.16.2.123 443 63438 6921 25
52.69.69.136 172.16.2.123 443 63439 5972 24
172.16.2.123 202.229.2.123 50647 443 222476 4745
202.229.2.123 172.16.2.123 443 50647 7643800 5323
172.16.2.123 54.239.28.81 50650 443 118006 152
54.239.28.81 172.16.2.123 443 50650 35116 83
172.16.2.123 172.217.26.3 52378 443 2010 6
172.217.26.3 172.16.2.123 443 52378 1959 7
172.16.2.123 192.168.10.21 50674 80 156 3
172.16.2.123 108.177.97.189 63539 443 1046 6
108.177.97.189 172.16.2.123 443 63539 959 8
45.121.186.11 172.16.2.123 27018 53377 208 2
172.16.2.222 91.189.89.199 54279 123 76 1
91.189.89.199 172.16.2.222 123 54279 76 1
172.16.2.123 108.177.97.125 63783 5222 70 1
108.177.97.125 172.16.2.123 5222 63783 40 1
172.16.2.123 192.168.10.21 50675 80 156 3
172.16.2.123 8.8.8.8 55467 53 83 1
172.16.2.123 52.229.174.29 50676 443 1946 15
52.229.174.29 172.16.2.123 443 50676 7588 11
52.229.172.222 172.16.2.123 443 50659 40 1
108.177.97.125 172.16.2.123 5222 63414 62 1
172.16.2.123 108.177.97.125 63414 5222 40 1
Creating and Apply Flow Sampling
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#sam R1(config)#sampler SAMPLER1 R1(config-sampler)#mode R1(config-sampler)#mode rando R1(config-sampler)#mode random 1 ou R1(config-sampler)#mode random 1 out-of 2 R1(config-sampler)#int R1(config-sampler)#inter R1(config-sampler)#exit R1(config)#int f0/0 R1(config-if)#ip flow R1(config-if)#ip flow moni R1(config-if)#ip flow monitor MONITOR1 R1(config-if)#ip flow monitor MONITOR1 sample R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLE R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLER1 input R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLER1 input out R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLER1 input % Flow Monitor: Flow Monitor 'MONITOR1' is already on in full mode and cannot be enabled with a sampler. R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLER1 output % Flow Monitor: Flow Monitor 'MONITOR1' is already on in full mode and cannot be enabled with a sampler.
OK, previous Flow Monitor configuration application exist.
delete it.
R1(config-if)#no ip flow monitor MONITOR1 input R1(config-if)#no ip flow monitor MONITOR1 output R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLER1 input R1(config-if)#ip flow monitor MONITOR1 sampler SAMPLER1 output R1(config-if)#^Z R1#sh *Jul 3 00:07:53.883: %SYS-5-CONFIG_I: Configured from console by console R1#sh run int f0/0 Building configuration... Current configuration : 235 bytes ! interface FastEthernet0/0 ip address 172.16.2.1 255.255.255.0 ip flow monitor MONITOR1 sampler SAMPLER1 input ip flow monitor MONITOR1 sampler SAMPLER1 output ip nat inside ip virtual-reassembly in duplex auto speed auto end R1#sh run | sec sampl R1#sh run | sec sampler SAMPLER1 sampler SAMPLER1 mode random 1 out-of 2 ip flow monitor MONITOR1 sampler SAMPLER1 input ip flow monitor MONITOR1 sampler SAMPLER1 output
R1#sh sampler SAMPLER1
Sampler SAMPLER1:
ID: -1380704404
export ID: 1
Description: User defined
Type: random
Rate: 1 out of 2
Samples: 4943
Requests: 9884
Users (2):
flow monitor MONITOR1 (ip,Fa0/0,Input) 2453 out of 4905
flow monitor MONITOR1 (ip,Fa0/0,Output) 2490 out of 4979
Check NetFlow Corrector
Maybe Ealiar to start Flexible NetFlow monitoring, there is no full analyzed view, or ElastiFlow not ready to Flexible NetFlow.
There is not so fun.
References
tech/network/cisco/flexible-netflow/flexible-netflow.txt · Last modified: 2018/07/03 09:16 by wnoguchi
