NetFlow to Monitor Network Traffic

NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported on various platforms. Routers or switches that support NetFlow  can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, towards at least one NetFlow collector.


Network Flows
 
A network flow can be defined in many ways. Cisco standard NetFlow defines a flow as a unidirectional sequence of packets that all share the following 7 values.

  1. Ingress interface (SNMP ifIndex)
  2. Source IP address
  3. Destination IP address
  4. IP protocol
  5. Source port for UDP or TCP, 0 for other protocols
  6. Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
  7. IP Type of Service
Additional information added to a flow includes
  • Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second
  • Next hop IP addresses including BGP routing Autonomous Systems (AS)
  • Subnet mask for the source and destination addresses to calculate prefixes
  • TCP flags to examine TCP handshakes


Configuration

Netflow configuration on Cisco routers is very simple, just enable the NetFlow on interfaces, define the version to be used and the destination i.e. IP address of the NetFlow collector. In the below image, we will configure the router to send the flows to the workstation 192.168.100.20, where NetFlow Analyzer is installed.

Router#
interface FastEthernet 0/1
 description ### INSIDE ###
 ip address 192.168.100.1 255.255.255.0
 ip flow ingress
!
ip flow-export version 9
ip flow-export destination 192.168.100.20 9996


Just this much configuration will start sending the Flows towards Netflow Analyzer. Here is the sample output for the LAN segment from the above scenario.

Apart from using the NetFlow collector, you can also use CLI to view the Flows using the command


show ip cache flow




NetFlow Top-Talkers

NetFlow top-talkers feature is also very handy to use from Command Line Interface when you want to identify users who are utilizing more WAN bandwidth. To configu-re flow-top-talkers, just add the following configuration to the above configuration on the Router.


ip flow-top-talkers
 top 20
 sort-by bytes



To verify the top-talkers on the network, use the command,

Router#sh ip flow top-talkers

SrcIf  SrcIPaddress    DstIf  DstIPaddress    Pr SrcP DstP  Bytes
Fa0/1  192.168.100.12  Fa0/0  188.4.200.109   11 9215 7CB9   267K
Fa0/1  192.168.100.12  Fa0/0  122.150.182.223 11 9215 AF16   265K
Fa0/1  192.168.100.58  Fa0/0  50.140.2.134    06 D4FD C196   225K
Fa0/1  192.168.100.49  Fa0/0  74.125.236.133  06 C766 01BB   118K
Fa0/1  192.168.100.58  Fa0/0  41.158.32.28    11 81B7 82D7   107K
Fa0/1  192.168.100.58  Fa0/0  186.216.123.119 11 81B7 C8D3    97K
Fa0/1  192.168.100.12  Fa0/0  142.161.64.110  11 9215 B0BB    67K
Fa0/1  192.168.100.58  Fa0/0  105.236.42.243  11 81B7 C350    63K
Fa0/1  192.168.100.58  Fa0/0  68.41.128.72    11 81B7 D785    52K
Fa0/1  192.168.100.12  Fa0/0  124.179.75.73   11 9215 AC98    48K
Fa0/1  192.168.100.58  Fa0/0  83.39.147.222   11 81B7 0FA0    36K
Fa0/1  192.168.100.58  Fa0/0  77.126.153.4    11 81B7 DC90    34K
Fa0/1  192.168.100.58  Local  203.122.32.30   11 81B7 81B7    34K
Fa0/1  192.168.100.62  Fa0/0  205.209.161.108 06 CC11 4E21    18K
Fa0/1  192.168.100.58  Fa0/0  50.105.92.91    06 DDAA 836F    16K
Fa0/1  192.168.100.58  Fa0/0  115.64.185.87   11 81B7 B2B3    12K
Fa0/1  192.168.100.58  Fa0/0  62.57.156.182   11 81B7 434C  8851
Fa0/1  192.168.100.57  Fa0/0  74.125.236.150  06 C5F3 01BB  6174
Fa0/1  192.168.100.48  Fa0/0  137.135.131.132 06 F5DE 0050  5567
Fa0/1  192.168.100.58  Fa0/0  46.193.164.36   11 81B7 866D  5123
20 of 20 top talkers shown. 380 flows processed.









Comments

Post a Comment

Popular posts from this blog

Specifying SSH port in Ansible Inventory

There may be some instances where you set a custom port for SSH on your network device. If ssh port for hosts is different than the default port 22, it can be specified in the inventory file with colon (:) after hostname. #vi inventory # Inventory file for Ansible   [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181   [XR] sbx-iosxr-mgmt.cisco.com:8181
Read more

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

 In this playbook, we we'll see how we can get display of multiple show commands in stdout_lines format. We can make use of loops (or with_items) for submitting multiple commands, but debug output with stdout_lines does not gives the formatted result as it would give for single command. So in case of multiple commands, we can debug the output of each command separately in stdout_lines format.
Read more

Filtering Routes in BGP using Route-maps and Prefix-list

Image
Order of preference of attributes in BGP The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates. For inbound updates the order of preference is:     route-map     filter-list     prefix-list, distribute-list For outbound updates the order of preference is:     prefix-list, distribute-list     filter-list     route-map NOTE: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor distribute-list or neighbor prefix-list) can be applied to each inbound or outbound direction for a particular neighbor. Scenario: We own the AS500 and advertising a network block of 192.0.2.0/24 and 180.179.179.0/16 to two different ISPs. Objectives: Configure router R1 to establish eBGP neighbor relationship with ISP1. Configure router R1 to establish eBGP neighbor relationship with ISP2. Advertise  192.0.2.0/24 network to ISP1 only. Advertise 180.179.179.0/16 network to ISP2 only. Receive routes having n
Read more

Ansible Playbook for Network OS Upgrade with pre and post checks

You have 100s of network switches or routers that you need to upgrade. How much time would it take for you to do the upgrades? There are a lot number of sub-tasks involved while upgrading IOS image of a Cisco router or a switch. This time of upgradation can be reduced through automation from various Enterprise Configuration Management tools that also have ability to upgrade network OS. Though these tools give an easy to use graphical interface, but this requires you to have appropriate license and also restricts you to customize your upgrade process.
Read more

Bypassing Proxy Server in Google Chrome

Image
There may be times when you might want to use Google Chrome and do not wish to use the proxy settings for which you are bound to use in Internet Explorer because of your company policies. If you try to change proxy settings in Google Chrome, by default it will open the System Internet Properties dialogue box, and most of the times, change in proxy setting options is restricted by domain group policy. So here is an alternate way to remove or disable proxy settings in Google Chrome. 1. Right click the GoogleChrome.exe and create it's shortcut. 2. Open the properties of the shortcut of GoogleChrome.exe created in previous step. 3. Here you have to edit the Target of this shortcut. You have to add   --proxy-server=""  after the existing path. You are done. Now enjoy the web browsing without any restrictions.
Read more

VMware NSX Traffic Flow — East-West & North-South

Image
Understanding how traffic is flowing in NSX environment is an important aspect to successfully maintain and troubleshoot networks having NSX. In this post we'll understand hop-by-hop flow of traffic in East-West and North-South directions. East-West: VMs on Same Subnet, Same Host VM-1 has IP address 172.16.20.6 and VM-2 has IP address 172.16.20.7 VM-1 vNIC è Logical Switch (Segment ID 5002) è VM-2 vNIC
Read more

Export or Backup Azure Network Security Groups into CSV using PowerShell

There could be many use cases where you may want to export Network Security Groups into CSV. You might have question, how to export or backup Azure Network Security Groups into CSV. Here is the PowerShell script that you can use to export Azure Network Security Groups into CSV using PowerShell script. This script will export Network Security Group along with rules of all Active subscriptions into a CSV.
Read more

Ansible-playbook for backing up running config of Cisco IOS

This ansible-playbook can be used to backup running configuration from Cisco IOS devices. You can refer to my earlier post Getting Started with your first ansible-playbook for Network Automation  to know about the parameters used in this playbook. Inventory file # Inventory file for Ansible [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181 [XR] sbx-iosxr-mgmt.cisco.com:8181 [all:vars] ansible_network_os=ios Playbook --- - name: Define Parameters   hosts: XE   gather_facts: no   connection: network_cli   tasks:    - name: backup the config      ios_config:       backup: yes      register: backup_config    - name: Store the config to directory      copy:       src: "{{ backup_config.backup_path }}"       dest: "/tmp/backups/{{ inventory_hostname }}" Running the playbook [prashant@Prashant-VM01 ~]$ ansible-playbook play03.yml -i /home/prashant/inventory -u developer -k SSH password: PLAY [Define Parameters] **********************************************
Read more