2010812028, 1:47 Iniraguetion to Cisco NetFlow Search Q © Introduction to Cisco NetFlow Lesson Contents 1. Configuration 2.Verification 2.1. Cisco 10S Router 2.2. Ntop Server 3. Conclusion Network management protocols like SNMP allow us to monitor our network. We can check things like cpu load, memory usage, interface status and even the load of an interface. Other tools like NBAR allow us to see what kind of protocols are used. @ One of the things we can’t do with those tools is tracking all flows in our network. A flow is a stream of packets that share the same characteristics like source/destination port, source/destination address, protocol, type, service marking, etc NetFlow allows us to track these flows on our network. We can use this information to solve problems like bottlenecks, identify what applications are used, how much bandwidth they use etc. For each of the flows, NetFlow will track the number of packets sent, bytes sent, packet sizes and more. You can configure your router to keep track of all flows and then export them to a central server where we analyze our traffic. In this lesson | will show you how to configure NetFlow on a Cisco 10S router and we will take a look at a NetFlow server. 1. Configuration This is the topology we will use: htpsnetworklessors.com/iscolconp-encor-350-40 Vintroductonso-cisco-natow sno2010812028, 1:47 Iniraguetion to Cisco NetFlow SS no rg — invernet 1 On the left side we have a host that will be browsing the Internet through R1. At the bottom there’s a ntop server. This is open source traffic analysis software that supports NetFlow so if you want to give this a try, it’s worth checking out. Configuring ntop is outside the scope of this lesson so Il focus on how to configure the router. First we have to specify the server: Ri(config)#ip flow-export destination 192.168.1.1 2055 ‘The router will export all lows to 192.168.1.1 with destination UDP port 2055. NetFlow support. ©) versions so if you want to use a specific version, here’s how to do it: Ri(config)#ip flow-export version 9 | will configure the router to use version 9. Optionally, we can configure what interface the router should Use to source the updates from: R1(config)#ip flow-export source FastEthernet 0/0 The last thing we have to do is tell the router on what interfaces to track the flows: R1(config)#interface FastEthernet 0/1 Ri(config-if)#ip route-cache flow | will use the ip route-cache flow command for this. When you use this command, it will track all ingress flows on the physical and all sub-interfaces. You can also use the ip flow egress or ip flow ingress commands if you only want to enable it on one sub-interface or in one direction, htpsnetworklessors.com/iscolconp-encor-350-40 Vintroductonso-cisco-natow 2102010812028, 1:47 Iniraguetion to Cisco NetFlow 2. Verification 2.1. Cisco |OS Router On our router we can check a couple of things to see if NetFlow is working. Here's the first command Ritshow ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Source(1) 192.168.1.254 (Fastethernet@/2) Destination(1) 192.168.1.1 (2055) Version 9 flow records 433 flows exported in 28 udp datagrams @ flows failed due to lack of export packet @ export packets were sent up to process level @ export packets were dropped due to no fib @ export packets were dropped due to adjacency issues @ export packets were dropped due to Fragnentation Failures © e export packets were dropped due to encapsulation fixup failures ‘Above you can see the version of NetFlow, the source, destination and how many flows have been exported, With the next command you can see some information about the flows: Ristshow ip cache flow IP packet size distribution (98496 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 008 .013 .088 .281 000 .222 000 .22@ .000 .22@ .000 .000 .200 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 008 .000 .008 .010 .966 .000 200 .200 .000 .200 .000 IP Flow Switching Cache, 278544 bytes 37 active, 4059 inactive, 68@ added 10154 ager polls, @ flow alloc failures Active flows timeout in 3@ minutes Inactive flows timeout in 15 seconds htpsnetworklessors.com/ciscolconp-encor-350-40 Vintroductonso-cisco-natow ano2010812028, 1:47 Protocol TCP-WHW TcP-other upp-other Total: Sretf Fae/1 Srelf Fa0/1 Fae/1 Fa0/1 Fae/1 Fa0/1 Fae/1 F20/1 Fae/1 Fa0/1 Fae/1 F20/1 Fae/1 Fa0/1 Fae/1 F20/1 Fae/1 Fa0/1 Fae/1 F20/1 Fae/1 Fa0/1 Fae/1 F20/1 Fae/1 Total F sreti ‘lows 262 153 228 643 address 52.17.234.27 srel 23.5 8.8. ass. 8. 8. 8 8 8 8. 8 8 8 address 2.59.27 8.8 54,150.1 8 31.22.80.141 31.22.80.141 31.22.80.141 31.22.80.141 31.22.80.141 31.22.80.141 8.8. 8.8 a @ alloc failures, @ force free 1 chunk, 1 chunk added last clearing of statistics never Fle K 7 74.125.71.138 74.125.71.138 213. 213. 213. 213. 213. 239.154. 239.154. 239.154. 239.154. 239.154. 20 2a 2 2 2a Iniraguetion to Cisco NetFlow Packets Active(Sec) Idle(Sec) lows Packets Bytes Sec /Flow /Pkt —/Sec a1 360 14790 4.1 2.0 21 1014 1.4 2.0 1 153 2.0 2.2 152 1461 42.7 Dstt DstIPaddress Fae/e 10.56.102.41 bstif DstIPaddress Fa0/e 10.56.102.41 Local, 10.56.102.41 Fa0/e 10.56.102.41 Local 10.56.102.41 Local, 10.56.102.41 Local 10.56.102.41, Local 10.56.102.41 Local 10.56.102.41 Local, 10.56.102.41 Local 10.56.102.41 Fa0/e 10.56.102.41 Fae/e 10.56.102.41 Fa0/e 10.56.102.41 Fae/e 10.56.102.41 F20/e 10.56.102.41 Fae/e 10.56.102.41 Local 10.56.102.41 Fae/e 10.56.102.41 Fa0/e 10.56.102.41 Fae/e 10.56.102.41 Fa0/e 10.56.102.41 Fae/e 10.56.102.41 F20/e 10.56.102.41 Fae/e 10.56.102.41 htpsnetworklessors.com/ciscolconp-encor-350-40 Vintroductonso-cisco-natow /Flow Pr es Pr es a es u un u a u un a es 0s es 0s es 0s un 06 es 06 es 0s es 06 3.2 2.5 0.0 1.9 SreP DstP 05 C1AA SreP DstP e0se C210 0035 F244 e0se C228 0035 D424 2035 pact 0035 Dana 2035 Cars 0035 £92E 2035 c93C 0035 CDaE 205e C21F 00se C225 20s c224 @0se c223 e0se c222 e0se c220 2035 DDDA 0188 CaF e188 C21 e188 c21¢ 2050 C227 200 C226 e0se c227 2050 c226 /Flow 8.6 9.2 15.4 11.2 Pkts Pkts 46 40 36 42 43 57 ano2008/2023, 11 Fae/1 Fae/1 Fae/2 Fae/1 Fae/2 Fae/1 Fae/1 Fae/1 Fae/1 Fae/1 Fae/2 Fae/1 Fae/2 ‘Above you can see some of the flows. The output above is useful to check if NetFlow is working on the a7 a 213.239.154.21 213.239.154.21 213.239.154..20 213.239.1542 213.239.154.221 213.239.154.20 213.239.154.221 213.239.154.21 213.239.154.21 213.239.154.20 213.239.154.21 213.239.154.21 74,125.71.154 Fae/e Fae/e Fae/e Fae/e F20/@ Fae/e Fa0/e Fae/e Fae/e Fae/e Fae/e Fae/e F20/@ Iniraguetion to Cisco NetFlow 10. 10. 10. 10. 10. 10. 10. 10. 10. 10. 10. 10. 1. 56,102.41 56,102.41 56,102.41 56,102.41 56.102.41 56,102.41 56.102.41 56,102.41 56,102.41 56,102.41 56.102.41 56.102.41 56,102.41 es @6 26 @6 es @6 es @6 es @6 @6 @6 es 2050 20s 2050 20s 2050 e050 2050 e050 2050 20s 2050 e050 2050 router but it’s far more interesting to look at the flows on the external server. 2.2. Nt To show you what makes Netflow so useful, let me show you some screenshots of Ntop. Here you can see the top ‘op Server talkers of all flows: e221 cam. e217 c2a7 cas cae 21a cae cas cae 21a cae 229 (0 1998-2012 - twea Denies 12 a2 10 58 a 92 © @ Summary AllProtools UNS Plugins Admin Q Top Talkers: Last Hour “Tne Period Top Senders Ton RecN fossa Os 2AMbis]fioscic2«1 Oe Tabu] faes .amakereatonaenet @w@ | 31 Kbuslfases.weakeraonaene@@ | esKoi| Iria 24 13 9800 2015} eS a fecakingnet Oe 25 15 fewcakngne Oe Sonn] Inui 24 19 5859 2015] fwcatersnet Oe 265.04 fweakersnet Oe 3303 bw bam-tn-datanet Oe 22905 fan tocdatanet Ow won| fose.i0241 Ow 2eMbiis}fioseic2«1 Oe 73 ND] Lasse voenan sare [BSbwakenaonsone Ow | 34 KbWs[|ases..twakeraomeene Ow | 67 KON] Ntop can also show you the network load: hnps:networklessons.comiciscalecnp-encor-350-40 introduction o-isco-nefiow so2010512023, 1147 Iniraguetion to Cisco NetFlow Last 10 Mins Last Hour Last Day Last Month Last 10 Minutes Throughput 2204 00 4 20H con 40H 204 ° ‘Throughput 1358, 1400 B Throughput Max: 123.74 Avg 4.7M Last: 35.8 Ganonalia = Upper = CI Lower = Trend (30 min) @ 95th Percentile ‘Time [ Fri Jul 24 13:50:46 2015 through now] You can also see the throughput for each application: © ctri+m hnps:networklessons.comiciscalecnp-encor-350-40 introduction o-isco-nefiow ano2008/2028, 1147 p Iniraguetion to Cisco NetFlow Network Load You can also see the different packet sizes that are used in your flows: ons nrazveve] oo] eS 6 Didnwnatia — muscer "" Ghusver — wirend (30 ain) “" i osth Percenete lerer Jeozswayes| orang 26 a gure 1a 2 Tek Lat ase Eiaownatin — musper" Giinver trend (20 nin)“ th Percentile Is. e2move:| zon] 5 6k 4 © ctri+m aso. Tso ing: 25.28 Lasts 15.54 doen Cilaver mend (30 ain)“ osth Percentste Actual 704.0 bit/s 0.2 Pkt/s Last Minute 706.0 bit/s 0.2 Pkt/s Last 5 Minutes 1.0 Mbit/s 98.8 Pkt/s Peak 3648.1 Pkt/s Average 257.5 Pkt/s * Historical Data TRAY = hnps:networklessons.comiciscalecnp-encor-350-40 introduction o-isco-nefiow m02010812028, 1:47 Iniraguetion to Cisco NetFlow Average 1,251 bytes Packets Longest 1,499 bytes Size <= 64 bytes 0.2%) 591 164 < Size <= 128 bytes 0.2% 592 128 < Size <= 256 bytes 0.6% 1,713 256 < Size <= 512 bytes 0.9%) 2,546 512 < Size <= 1024 bytes 1.5%) 4,390 1024 < Size <= 1518 bytes 97.2% 287,212 Size > 1518 bytes 0.0% 0 3. Conclusion NetFlow is a great protocol to get an insight in your network traffic. ts the equivalent of a “phone bill” that specifies all calls that were made, where these calls took place, the duration, etc. Only this time, we are tracking all IP packets on the network, i) Want to take a look for yourself? Here you wil find the final configuration of R1 R1 ~ hostname R1. ! ip flow-export destination 192.168.1.1 2055, ip flow-export version 9 ip flow-export source Fastethernet 0/0 ! interface FastEthernet 0/0 ip address 192.168.1.254 255.255.2550 interface Fastethernet @/1 ip route-cache flow htpsnetworklessors.com/ciscolconp-encor-350-40 Vintroductonso-cisco-natow ano2010512023, 1147 Iniraguetion to Cisco NetFlow a hope this lesson has been useful, if you have any questions feel free to leave a comment in our forum! Previous Lesson Next Lesson yy SNMPv3 Configuration Cisco Performance Monitor Forum Replies chris.m.chaver Rene, Hello, This looks great! Does NetFlow run on ASA? Thanks, Chris chris.m.chavez Rene, Hello, | found it, looks like this could be a nice setup. Chris Q erematenar Hi chris, Good to hear you found it, the ASA supports NetFlow. Rene hnps:networklessons.comiciscalecnp-encor-350-40 introduction o-isco-nefiow sno2010512023, 1147 Iniraguetion to Cisco NetFlow a Rene, Great lesson however, | have question FO/0 is for updates which means all the stats will be sent to the server through Fo/0 for all the interfaces where we configure netflow. ‘Can we use loopback for updates or it has to be a physical interface? FO/1 is an example where we configure netfiow it means all the stats on this interface will be sent to the server through Foro. Please clarity Thanks Hamood 2 ReneMolenaar HiHamood, You can use a loopback and yes, that would be a good idea because of this reason, rene @ {2 70 more replies! Ask a question or join the discussion by visiting our Community Forum Disclaimer Privacy Policy Support About © 2013 - 2023 NetworkLessons.com 52189 hnps:networklessons.comiciscalecnp-encor-350-40 introduction o-isco-nefiow r010