Wednesday, May 19, 2010

How to configure Netflow

What is Netflow?

A flow can be considered as traffic that share "header" information such as source and destination IP address, protocols numbers, port numbers and TOS field information. Reference CCNP Tshoot Cisco Press.

Netflow allows you to monitor which user or computer system in the network is using the most traffic. Netflow can be configured as stand alone (on the router) or tied together with applications that support Netflow. My favorite program is WhatsUpGold http://www.whatsupgold.com/. There is a 30 day trial available for download. I will give you a simple stand alone config and a sample config tied in with WhatsUpGold v14.



Neetflow interface configuration 

Interface config mode:

interface FastEthernet0/0
 ip address 10.0.32.1 255.255.224.0
 ip flow ingress
 duplex full

Global config mode:
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 192.168.1.1 9999
ip flow-top-talkers
 top 5
 sort-by bytes
  1. Specify the flow-export source
  2. Specify the version number
  3. Specify where the flow will be exported 
  4. Configure how many top talkers will be monitored
  5. the results will be sorted by bytes
Below is a sample output of the show flow command:

CME_2651XM#sh ip cache flow
IP packet size distribution (1710195 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .385 .208 .024 .012 .009 .026 .004 .003 .002 .024 .001 .002 .002 .001

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .001 .001 .001 .018 .267 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  15 active, 4081 inactive, 341232 added
  5824827 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
  15 active, 1009 inactive, 336988 added, 336988 added to flow
  0 alloc failures, 0 force free
  1 chunk, 5 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet       19434      0.0         9    42      0.1       0.0       1.5
TCP-FTP             22        0.0         1    45      0.0       0.8      12.9
TCP-FTPD          12        0.0         1    43      0.0       0.2      13.3
TCP-WWW        12517  0.0        39   841      0.3       2.9       6.6


 _________________________________________________________________________________
CME_2651XM#sh ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Fa0/0         10.46.240.1     Null          255.255.255.255 11 0043 0044    18K
Fa0/1         1.1.1.1             Local         1.1.1.1      01 0000 0800  3612

2 of 5 top talkers shown. 23 flows processed.


Configure WhatsUpGold:

  1. Login into the WhatsUpGold interface


     2. Under flow monitor click go--configure-- settings

    

     3. Listening port: Select a port number it should be the same as port configured using the ip flow-destination command eg (ip flow-export destination 192.168.1.1 9999)


Sample WhatsUpGold display:

Posted by at

1 comment:

  1. AnonymousMay 21, 2010 at 9:41 AM

    Thanks for the great post. WhatsUp Gold is a good tool for SNMP and WMI monitoring, but for NetFlow I use Scrutinizer.

    ReplyDelete

Subscribe to: Post Comments (Atom)