Netflow
Sunday, May 30, 2010
This article provides an example of Net flow configurations in a Cisco Router, ASA/PIX firewall to collect the Net flow data in the internal network.
Components Uses
The information in this document is based on following hardware and software versions
• Cisco Router 3745 – IOS version 12.3(17b. (Network 192.168.10.0)
• PIX 525 7.0.3 ( ASA can also be used) (Internal 10.0.0.2)
• Manage Engine Net flow Analyzer 6 ( Any net flow collector can be used)(
The information in this document is based on following hardware and software versions
• Cisco Router 3745 – IOS version 12.3(17b. (Network 192.168.10.0)
• PIX 525 7.0.3 ( ASA can also be used) (Internal 10.0.0.2)
• Manage Engine Net flow Analyzer 6 ( Any net flow collector can be used)(
In this example let’s start by configuring Net flow in a Cisco Router
Cisco Router Configuration
Here the IP address for the interface is 192.168.10.1
Here the IP address for the interface is 192.168.10.1
Enabling Net flow in an Interface
Enter global configuration mode on the router and issue the following commands for each interface on which you want to enable Net Flow:
Enter global configuration mode on the router and issue the following commands for each interface on which you want to enable Net Flow:
interface {interface} {interface_number}
ip route-cache flow
bandwidth
exit
ip route-cache flow
bandwidth
exit
After applying the commands the example will be as follows
Exporting NetFlow Data
Issue the following commands to export Net Flow data to the server on which NetFlow Analyzer is running:
ip flow-export destination {hostname|ip_address} 9996 ( Exports the NetFlow cache entries to the specified IP address. Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port. The default port is 9996. )
ip flow-export source {interface} {interface_number} (Sets the source IP address of the NetFlow exports sent by the device to the specified IP address. NetFlow Analyzer will make SNMP requests of the device on this address.)
ip flow-export version 5 [peer-as | origin-as] (Sets the NetFlow export version to version 5. Version 5,7 & 9 are available)
ip flow-cache timeout active 1 (Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data.)
ip flow-cache timeout inactive 15 (Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. )
snmp-server ifindex persist (Enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.)
The following example shows the above mentioned commands
Issue the following commands in normal (not configuration) mode to verify whether NetFlow export has been configured correctly:
show ip flow export (Shows the current NetFlow configuration)
show ip cache flow (These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting
show ip cache flow (These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting
The next step is make a Natting in ASA/PIX
In order to export to the netflow statistics to the netflow analyzer located in the internal network we have configure the following access-list and apply it to outside interface to allow the Netflow traffic
Apply the created access-list to the outside interface
Now install the Netflow Analyzer software and configure it to recieve the netflow statists from the external router.
Troubleshooting tips
Verify Netflow is working in Cisco Router
Check Nating is working in the Firewall
Check access -list is forwading the netflow traffic
To know more about Netflow Analyzer and its configuration click this link Netflow
0 comments:
Post a Comment