Saturday, February 22, 2020

Introduction to Cisco NetFlow

Network management protocols like SNMP allow us to monitor our network. We can check things like cpu load, memory usage, interface status and even the load of an interface. Other tools like NBAR allow us to see what kind of protocols are used.
One of the things we can’t do with those tools is tracking all flows in our network. A flow is a stream of packets that share the same characteristics like source/destination port, source/destination address, protocol, type, service marking, etc.
NetFlow allows us to track these flows on our network. We can use this information to solve problems like bottlenecks, identify what applications are used, how much bandwidth they use etc.
For each of the flows, NetFlow will track the number of packets sent, bytes sent, packet sizes and more. You can configure your router to keep track of all flows and then export them to a central server where we analyze our traffic.
In this lesson I will show you how to configure NetFlow on a Cisco IOS router and we will take a look at a NetFlow server.

Configuration

This is the topology we will use:
cisco netflow topology
On the left side we have a host that will be browsing the Internet through R1. At the bottom there’s a ntop server.  This is open source traffic analysis software that supports NetFlow so if you want to give this a try, it’s worth checking out.
Configuring ntop is outside the scope of this lesson so I’ll focus on how to configure the router. First we have to specify the server:
R1(config)#ip flow-export destination 192.168.1.1 2055
The router will export all flows to 192.168.1.1 with destination UDP port 2055. NetFlow supports multiple versions so if you want to use a specific version, here’s how to do it:
R1(config)#ip flow-export version 9
I will configure the router to use version 9. Optionally, we can configure what interface the router should use to source the updates from:
R1(config)#ip flow-export source FastEthernet 0/0
The last thing we have to do is tell the router on what interfaces to track the flows:
R1(config)#interface FastEthernet 0/1
R1(config-if)#ip route-cache flow
I will use the ip route-cache flow command for this. When you use this command, it will track all flows on the physical and all sub-interfaces. You can also use the ip flow egress or ip flow ingress commands if you only want to enable it on one sub-interface or in one direction.
Everything is now in place, let’s verify our work.

Verification

Cisco IOS Router

On our router we can check a couple of things to see if NetFlow is working. Here’s the first command:
R1#show ip flow export 
Flow export v9 is enabled for main cache
  Export source and destination details : 
  VRF ID : Default
    Source(1)       192.168.1.254 (FastEthernet0/0)
    Destination(1)  192.168.1.1 (2055) 
  Version 9 flow records
  433 flows exported in 28 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
Above you can see the version of NetFlow, the source, destination and how many flows have been exported. With the next command you can see some information about the flows:
R1#show ip cache flow
IP packet size distribution (98406 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .013 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .010 .966 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  37 active, 4059 inactive, 680 added
  10154 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  37 active, 987 inactive, 680 added, 680 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-WWW            262      0.1       360  1479     41.1       3.2       8.6
TCP-other          153      0.0        21  1014      1.4       2.5       9.2
UDP-other          228      0.0         1   153      0.0       0.0      15.4
Total:             643      0.2       152  1461     42.7       1.9      11.2

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         52.17.234.27    Fa0/0         10.56.102.41    06 0050 C1AA     1 
          
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         23.52.59.27     Fa0/0         10.56.102.41    06 0050 C21D     5 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 F244     1 
Fa0/1         185.54.150.17   Fa0/0         10.56.102.41    06 0050 C228     3 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 D424     1 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 D4C1     1 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 D4D4     1 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 C4F5     1 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 E92E     1 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 C93C     1 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 CD0E     1 
Fa0/1         31.22.80.141    Fa0/0         10.56.102.41    06 0050 C21F    46 
Fa0/1         31.22.80.141    Fa0/0         10.56.102.41    06 0050 C225    40 
Fa0/1         31.22.80.141    Fa0/0         10.56.102.41    06 0050 C224    36 
Fa0/1         31.22.80.141    Fa0/0         10.56.102.41    06 0050 C223    42 
Fa0/1         31.22.80.141    Fa0/0         10.56.102.41    06 0050 C222    48 
Fa0/1         31.22.80.141    Fa0/0         10.56.102.41    06 0050 C220    57 
Fa0/1         8.8.8.8         Local         10.56.102.41    11 0035 DDDA     1 
Fa0/1         74.125.71.138   Fa0/0         10.56.102.41    06 01BB C1FF     2 
Fa0/1         74.125.71.138   Fa0/0         10.56.102.41    06 01BB C21E     8 
Fa0/1         213.239.154.20  Fa0/0         10.56.102.41    06 01BB C21C     8 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C227     2 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C226     3 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C227     1 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C226     1 
          
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C221     3 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C221     4 
Fa0/1         213.239.154.20  Fa0/0         10.56.102.41    06 0050 C217    12 
Fa0/1         213.239.154.20  Fa0/0         10.56.102.41    06 0050 C217     3 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C219    42 
Fa0/1         213.239.154.20  Fa0/0         10.56.102.41    06 0050 C21B     3 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C21A    10 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C218    58 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C219    11 
Fa0/1         213.239.154.20  Fa0/0         10.56.102.41    06 0050 C21B     3 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C21A    92 
Fa0/1         213.239.154.21  Fa0/0         10.56.102.41    06 0050 C218     9 
Fa0/1         74.125.71.154   Fa0/0         10.56.102.41    06 0050 C229     4
Above you can see some of the flows. The output above is useful to check if NetFlow is working on the router but it’s far more interesting to look at the flows on the external server.

Ntop Server

To show you what makes Netflow so useful, let me show you some screenshots of Ntop. Here you can see the top talkers of all flows:
ntop top talkers
Ntop can also show you the network load:
ntop network statistics
You can also see the throughput for each application:
ntop applications
You can also see the different packet sizes that are used in your flows:
ntop network load
ntop packet sizes

Conclusion

NetFlow is a great protocol to get an insight in your network traffic. It’s the equivalent of a “phone bill” that specifies all calls that were made, where these calls took place, the duration, etc. Only this time, we are tracking all IP packets on the network.
hostname R1
!
ip flow-export destination 192.168.1.1 2055
ip flow-export version 9
ip flow-export source FastEthernet 0/0
!
interface FastEthernet 0/0
 ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet 0/1
 ip route-cache flow
!
end

I hope this lesson has been useful, if you have any questions feel free to leave a comment in our forum!

No comments:

Post a Comment