Config NetFlow [PDF]

Zitiervorschau

Lab ID: 9.9K1013A210.SAI2.1

Stand-Alone Lab: NetFlow Objective In this lab, you will learn the basic commands to congure NetFlow on a Cisco router and to verify an existing NetFlow conguration.

Lab Topology The topology diagram below represents the NetMap in the Simulator.

Router3

Router1

Switch1

Router2

Switch2

Command Summary Command

1

Description

congure terminal

enters global conguration mode from privileged EXEC mode

enable end exit

enters privileged EXEC mode ends and exits conguration mode exits one level in the menu structure

Boson NetSim Lab Manual

Command

Description

interface type number ip ow egress ip ow ingress

changes from global conguration mode to interface conguration mode enables NetFlow for outbound trafc on an interface enables NetFlow for inbound trafc on an interface

ip ow-export destination ip-address port

species the IP address and destination port for exported NetFlow records

ip ow-export version [1 | 5 | 9] show ip cache ow

species the format of exported NetFlow records displays basic NetFlow statistics

show ip ow export

displays the NetFlow date export conguration

show ip ow interface show running-cong

displays the NetFlow conguration for each interface displays the active conguration le

The IP addresses and subnet masks used in this lab are shown in the table below:

IP Addresses Device

Interface

IP Address

Subnet Mask

Router1

FastEthernet 0/0

192.168.2.1

255.255.255.0

Router2

FastEthernet 0/1 FastEthernet 0/0

10.10.10.1 172.16.10.1

255.255.255.0 255.255.255.0

FastEthernet 0/1

192.168.1.2

255.255.255.0

FastEthernet 0/0

192.168.2.1

255.255.255.0

FastEthernet 0/1

192.168.1.1

255.255.255.0

Rotuer3

Lab Tasks Task 1: Learn NetFlow Conguration Commands This task introduces you to various commands used to congure the NetFlow feature on a Cisco router.

2

1.

For what purpose would you typically use the Cisco NetFlow feature on a router? ______________ ______________________________________________________________________________

2.

What is a drawback to using the NetFlow feature? ______________________________________

3.

Congure NetFlow for inbound trafc on the FastEthernet 0/0 interface of Router1.

4.

Congure NetFlow for outbound trafc on the FastEthernet 0/1 interface of Router1.

5.

What is the default NetFlow data export format on Cisco routers? __________________________

Boson NetSim Lab Manual

6.

Congure Router1 with the highest supported version format for NetFlow export data.

7.

Where is the data collected by NetFlow collector stored? _________________________________

8.

Congure Router1 to export NetFlow data records to a NetFlow collector with an IP address of 1.2.3.4 listening on port 9999.

9.

Congure Router1 to export NetFlow data records to a NetFlow collector with an IP address of 4.3.2.1 listening on SCTP port 8888.

Task 2: Verify a NetFlow Conguration This task introduces you to the basic show commands used to verify a NetFlow conguration on a Cisco router.

3

1.

On Router1, view a summary output of the basic NetFlow conguration on each interface. Which interfaces are congured to monitor inbound trafc with NetFlow? __________________________ ______________________________________________________________________________

2.

On Router1, check the NetFlow data export format. Which data export format is being used? _____ ______________________________________________________________________________

3.

How many NetFlow collector addresses are congured? _________________________________

4.

On Router1, display the NetFlow statistics that include the number of ows per protocol and the source and destination IP addresses associated with each ow. How many Transmission Control Protocol (TCP)-World Wide Web (WWW) ows are there? How many packets have been transmitted between the 10.10.10.2 and 172.16.10.4 IP addresses? __________________________________ ______________________________________________________________________________

Boson NetSim Lab Manual

Lab Solutions Task 1: Learn NetFlow Conguration Commands 1.

You would typically use the Cisco NetFlow feature to capture statistics about network trafc ows that pass through a router. Although Cisco considers a series of packets a ow if they share, at a minimum, the same source and destination IP addresses, a ow is dened as a series of packets that share the following characteristics: • • • • • • •

Source IP address Destination IP address Protocol number Source protocol port Destination protocol port Type of Service (ToS) bits Associated interface

Note: You can congure NetFlow to monitor either ingress or egress trafc on an interface. 2.

A drawback to the Netow feature is that, depending on the hardware platform and the number of simultaneous trafc ows, enabling the NetFlow feature can be very processor-intensive and can have a large impact on device performance. Therefore, NetFlow should only be enabled when required on most hardware platforms.

3.

You should issue the following commands to congure NetFlow for inbound trafc on Router1’s FastEthernet 0/0 interface: Router1>enable Router1#configure terminal Router1(config)#interface fastethernet 0/0 Router1(config-if)#ip flow ingress

4.

You should issue the following commands to congure NetFlow for outbound trafc on the FastEthernet 0/1 interface: Router1(config-if)#interface fastethernet 0/1 Router1(config-if)#ip flow egress

5.

4

By default, NetFlow data is exported using version 1, but Cisco recommends that you change the export version to the highest version supported by your NetFlow collector. Most NetFlow devices support export versions 1, 5, and 9.

Boson NetSim Lab Manual

6.

You should use the context-sensitive help to determine the NetFlow export data formats supported by Router1. The following output from the ip ow-export version ? command reveals that Router1 supports export versions 1, 5, and 9: Router1(config-if)#exit Router1(config)#ip flow-export version ? 1 5 9

You should then issue the following command to specify version 9, which is the highest version format for NetFlow export data that Router1 supports: Router1(config)#ip flow-export version 9

7.

By default, the data gathered by NetFlow is stored locally in dedicated NetFlow tables on each congured device. You can access the information stored in the NetFlow tables of a device by issuing the appropriate NetFlow-related show commands from privileged EXEC mode. Alternatively, you can congure the device to export NetFlow statistics to a central location, which is referred to as a NetFlow collector.

8.

You should issue the following command on Router1 to export NetFlow data records to a NetFlow collector with an IP address of 1.2.3.4 listening on port 9999. Router1(config)#ip flow-export destination 1.2.3.4 9999

9.

Although NetFlow records are exported as User Datagram Protocol (UDP) datagrams by default, some platforms support Stream Control Transmission Protocol (SCTP) as an alternate transport protocol. You can use the sctp keyword with the ip ow-export destination command to specify that SCTP should be used instead of UDP to transmit NetFlow data. You should issue the following command to specify a NetFlow collector with an IP address of 4.3.2.1 that is listening for NetFlow data on SCTP port 8888. Router1(config)#ip flow-export destination 4.3.2.1 8888 sctp

Task 2: Verifying a NetFlow Conguration 1.

The output from the following command displays a summary of the basic NetFlow conguration of each interface. The output shows that NetFlow is congured to monitor inbound ows on the FastEthernet 0/0 interface and outbound ows on the FastEthernet 0/1 interface: Router1(config)#end Router1#show ip flow interface FastEthernet0/0 ip flow ingress FastEthernet0/1 ip flow egress

5

Boson NetSim Lab Manual

2.

You can issue the show ip ow export command to verify the NetFlow export format version on Router1. Additionally, the command output can be used to verify the IP address and port numbers of any congured NetFlow collectors. Output from the command issued on Router1 shows that NetFlow data is exported using version 9: Router1#show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1) 1.2.3.4 (9999) Destination(2) 4.3.2.1 (8888) via SCTP Version 9 flow records 418 flows exported in 4534 udp datagrams 325 flows exported in 1864 sctp messages 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures

3.

Output from the show ip ow export command issued on Router1 shows that two collectors have been congured. One collector has an IP address of 1.2.3.4 and is listening on UDP port 9999, whereas the other collector has an IP address of 4.3.2.1 and is listening on SCTP port 8888. Router1#show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1) 1.2.3.4 (9999) Destination(2) 4.3.2.1 (8888) via SCTP Version 9 flow records 418 flows exported in 4534 udp datagrams 325 flows exported in 1864 sctp messages 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures

6

Boson NetSim Lab Manual

4.

The show ip cache ow command displays NetFlow statistics that include the number of ows per protocol and the source and destination IP addresses associated with each ow. The command output displays a variety of statistics including the number of ows for each protocol, the source and destination IP addresses for each ow, and the number of packets transmitted in each ow. You should issue the show ip cache ow command on Router1 to determine the number of ows and packets transmitted between devices. In the sample output below, there are 83 TCP WWW ows. In addition, 40 packets have been transmitted between the 10.10.10.2 and 172.16.10.4 IP addresses. Sample output is shown below; your output may vary: Router1#show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-WWW 83 0.0 1321 40 1.5 1200.1 0.8 TCP-NTP 127 0.0 1203 40 0.6 1200.1 0.7 TCP-other 337 0.0 1220 40 4.7 1201.4 0.8 UDP-TFTP 17 0.0 1213 28 0.5 1199.4 1.0 UDP-other 138 0.0 1117 28 2.1 1199.5 0.9 ICMP 125 0.0 1133 418 2.1 1199.4 0.8 Total: 915 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/0 10.10.10.2 Fa0/1 172.16.10.4 01 0000 0C01 40 Fa0/0 10.10.10.3 Fa0/1 172.16.10.6 11 0043 0043 52 Fa0/0 10.10.10.5 Fa0/1 172.16.10.7 11 0045 0045 53

7

Boson NetSim Lab Manual

Sample Conguration Script Router1 Router1#show running-config Building configuration... Current configuration : 976 bytes ! Version 12.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router1 ! ip subnet-zero ! ip cef no ip domain-lookup ! interface Serial0/0 no ip address no ip directed-broadcast clock rate 64000 shutdown ! interface Serial0/1 no ip address no ip directed-broadcast shutdown !

Router1 (continued) interface FastEthernet0/0 ip address 192.168.2.2 255.255.255.0 ip flow ingress no ip directed-broadcast ! interface FastEthernet0/1 ip address 10.10.10.1 255.255.255.0 ip flow egress no ip directed-broadcast ! router eigrp 10 network 10.10.10.0 0.0.0.255 network 192.168.2.0 0.0.0.255 no auto-summary ! ip classless no ip http server ! ip flow-export version 9 ip flow-export destination 1.2.3.4 9999 ip flow-export destination 4.3.2.1 8888 sctp ! line con 0 line aux 0 line vty 0 4 ! no scheduler allocate end

Copyright © 1996–2013 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

8

Boson NetSim Lab Manual