So when we concluded the previous clip we asked the question: What was the device in the campus that was already keeping track of IP addresses and port numbers of traffic flowing through it? Well, of course, it's your campus core router or your campus border router. So let's have a look at how we go about deploying netflow on your campus infrastructure. Cisco netflow comes in several different versions. Version 5 is the most widely deployed but version 9 is the newest it's extensible and most importantly includes IPv6 support given most campuses these days have deployed the network's dual stack to support IPv4 and IPv6 network. Version 9 is important to find out what's going on on the network. The IETF standard which is based on netflow version 9 is called ipfix or ipflow information export there is also s flow which is commonly found on ethernet switches and then every other vendor will have their own version of netflow so Junipers for example is jflo we will use netflow in the rest of this presentation but there are many tools out there which will support multiple protocols so not just Cisco's netflow. So let's have a look at Cisco's netflow in detail. We mentioned earlier about unidirectional flows. We consider IPv4 unicast and multicast and we need net flow version 9 to support IPv6 flows are exported via UDP you need to choose a port there's no particular standard although 2055 and 9996 are commonly used in many published examples online. It's supported in all IOS variants as well as the older and now obsolete ASA and Cat OS platforms but with different implementations the way ios is configured is that we set up netflow on each interface so inbound and outbound other versions of IOS only allows on the inbound interface which can be a bit inconvenient for larger networks we need to define the netflow version define the ip address and the port of the collector where we're sending the flows we optionally can enable aggregation tables we can configure flow timeouts and the main flow table size and for the bigger platforms we can configure a sample rate because those platforms will not allow every packet to be captured for flow analysis purposes the slide shows how we configure netflow on older platforms first off we need to make sure that ceph cisco's express forwarding is enabled on the platform for most modern platform this is turned on by default but all the routers it is still not enabled ceph is cisco's way of indicating that the router has a separate forwarding table and routing table so ipsef and ipv6f will make sure this is turned on for our platforms prior to ios 12.4 we turned on netflow by doing ip write cash flow on the interface and this only applied to incoming traffic there was no way of capturing floors for outgoing traffic for more modern versions of ios so 12.4 onwards we could do ip flow ingress for incoming traffic and ipv4 egress for outgoing traffic and then to export flows to a collector we have ipflow export version we specify the version number five or nine and then whether we include the origin as or the peer as and that's especially useful if we're using bgp on our network we also specify the destination in other words where the collector is so the ip address and which udp port the collector is listening on we can also summarize floors directly on the router this is really handy for a quick look to see who the busiest users are rather than jumping onto the collector and doing the analysis there this is handy when you need to do troubleshooting in a rush we can summarize these floors by configuring the top talkers feature the slide shows ipflow top talkers we've specified the top 50 talkers we've sorted the output by bytes and we're looking for traffic coming in on the gigabit zero zero interface the result of this will sort the output according to the top 50 incoming traffic source destination pairs on the gigabit zero zero interface and then to find out what's there we do show ipflow top targets on the newer platforms from cisco we have what's called flexible net flow this was a rewrite of cisco's original net flow which was not really that flexible flexible net netflow has a mind-boggling list of options available to let you configure flow export and capture on your router but the basic configuration is straightforward flexible net flow was available from ios 15.0 onwards and of course other ios variants and we would suggest that we start using this now as it supports ipv6 and we'll need to see the flow information available for v6 as well let's have a look at how flexible netflow is configured we define one or more exporters so flow export exporter 1 as the slide shows the destination address the transport and the destination port the source is loopback zero and then the data timeout for the template we make it 300 seconds and then we use that exporter in the flow monitor so we have a v4 flow monitor using the exporter we created again a cache timeout of 300 seconds and then we're looking for input traffic for v4 we do the same thing for ipv6 using the same exporter but capturing v6 input traffic and then we apply the monitors to the active interface so ip flow monitor v4 input flow monitor v4 output and then we do the same thing for v6 input and output. We can also summarize the top talkers using flexible netflow. The examples shown on the slides are from a couple of platforms that we have access to don't just cut and paste these examples they may not work on your own platform as Cisco is forever changing some of the options and features available even according to which license you have purchased for the software. The first one shows the top talkers. It is one very long command but you can easily alias this using Cisco alias exec command to save you trying to remember what all the options are. On some newer platforms some of these features have disappeared and new features have been added as it shows on the slide.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.