Flexible Netflow (FnF) Configuration for PRTG - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, February 6, 2015

Flexible Netflow (FnF) Configuration for PRTG

If you are still not knowing FnF (Flexible Netflow) technology, probably your Netflow knowledge did not get updated for last a couple of years. Basically Flexible Netflow allows user to decide which information you want to export through Netflow. It is extension of Netflow v9. For more information, I would suggest to read some of reference websites first at the end of this post. This post will only focus on the configuration in the real environment with Cisco 4510 and how it will be used in PRTG - this powerful and & easy network monitoring tool.

As shown in the following diagrams, different flows will be defined for detecting different information and used for different purpose.

Flexible NetFlow can track a wide range of packet information for Layer2, IPv4, IPv6 Flows.
• Source and destination Mac Addresses
• Source and destination IPv4 or IPv6 addresses
• Source and destination TCP/User Datagram Protocol (UDP) ports
• Type of service (ToS)
• DSCP
• Packet and byte counts
• Flow timestamps
• Input and output interface numbers
• TCP flags and encapsulated protocol (TCP/UDP) and individual TCP Flags
• Sections of packet for deep packet inspection
• All fields in IPv4 Header including IP-ID, TTL and others
• All fields in IPv6 Header including Flow Label, Option Header and others
• Routing information (next-hop address, source autonomous system (AS) number, destination AS number, source prefix mask, destination prefix mask, BGP Next Hop, BGP Policy Accounting traffic index)



In my environment, I am having Cisco-4510R+E with Supervisor 8-E, using ipbase cat4500es8-universalk9.SPA.03.03.01.XO.151-1.XO1.bin IOS file. There is no Netflow service card installed. But flexible netflow is supported

CS#show module
Chassis Type : WS-C4510R+E
Power consumed by backplane : 40 Watts
Mod Ports Card Type                              Model              Serial No.
---+-----+--------------------------------------+------------------+-----------
 1    48  10/100/1000BaseT EEE (RJ45)            WS-X4748-RJ45-E    CA1737L5CP
 2    48  10/100/1000BaseT Premium POE E Series  WS-X4748-RJ45V+E   CA1746L5KJ
 3    48  10/100/1000BaseT Premium POE E Series  WS-X4748-RJ45V+E   CA1746L5RN
 4    48  10/100/1000BaseT (RJ45)                WS-X4648-RJ45-E    JA17410F8D
 5     8  Sup 8-E 10GE (SFP+), 1000BaseX (SFP)   WS-X45-SUP8-E      CA1749L63E
 7    48  10/100/1000BaseT (RJ45)                WS-X4648-RJ45-E    JA17410AF6
 8    12  10GE SFP+                              WS-X4712-SFP+E     CA1741L4FU
 9    48  10/100/1000BaseT (RJ45)                WS-X4648-RJ45-E    JA17410F1K
10    48  10/100/1000BaseT EEE (RJ45)            WS-X4748-RJ45-E    CA1806L2H6
 M MAC addresses                    Hw  Fw           Sw               Status
--+--------------------------------+---+------------+----------------+---------
 1 885a.924.69c0 to 885a.9244.69ef 1.1                               Ok    
 2 24e9.b34.9748 to 24e9.b3f4.9777 1.3                               Ok    
 3 24e9.bf4.9988 to 24e9.b3f4.99b7 1.3                               Ok    
 4 e4c7.2df.d9da to e4c7.22df.da09 2.1                               Ok    
 5 24e9.3fb.a4c0 to 24e9.b3fb.a4c7 1.0 15.1(1r)SG1  03.03.01.XO      Ok    
 7 e4c7.2df.b42a to e4c7.22df.b459 2.1                               Ok    
 8 78da.e56.3ad0 to 78da.6e56.3adb 2.0                               Ok    
 9 e4c7.2df.d01a to e4c7.22df.d049 2.1                               Ok    
10 7426.c47.9dcc to 7426.ac47.9dfb 1.2                               Ok    
Mod  Redundancy role     Operating mode      Redundancy status
----+-------------------+-------------------+----------------------------------
 5   Active Supervisor   SSO                 Active


CS#sh verCisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSALK9-M), Version 03.03.01.XO RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2014 by Cisco Systems, Inc.Compiled Wed 30-Apr-14 02:55 by prod_rel_team

Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.All rights reserved.  Certain components of Cisco IOS-XE software arelicensed under the GNU General Public License ("GPL") Version 2.0.  Thesoftware code licensed under GPL Version 2.0 is free software that comeswith ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify suchGPL code under the terms of GPL Version 2.0.  For more details, see thedocumentation or "License Notice" file accompanying the IOS-XE software,or the applicable URL provided on the flyer accompanying the IOS-XEsoftware.

ROM: 15.1(1r)SG1CS uptime is 30 weeks, 4 days, 10 hours, 5 minutesUptime for this control processor is 30 weeks, 4 days, 10 hours, 6 minutesSystem returned to ROM by reloadSystem restarted at 16:18:25 UTC Mon Jul 7 2014System image file is "bootflash:/cat4500es8-universalk9.SPA.03.03.01.XO.151-1.XO1.bin"Jawa Revision 3, RadTrooper Revision 0x0.0x41, Conan Revision 0x1449
Last reload reason: Reload command

This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to[email protected].

License Information for 'WS-X45-SUP8-E'    License Level: ipbase   Type: Permanent    Next reboot license Level: ipbase
cisco WS-C4510R+E (P5040) processor (revision 2) with 4194304K bytes of physical memory.Processor board ID FXS1749Q1VP5040 CPU at 2.2GHz, Supervisor 8-ELast reset from Reload17 Virtual Ethernet interfaces336 Gigabit Ethernet interfaces20 Ten Gigabit Ethernet interfaces511K bytes of non-volatile configuration memory.
Configuration register is 0x2102
This simple sample will configure traditional NetFlow export using the new Flexible NetFlow CLI. The user will create the Flow Monitor and attaches the Flow Record and Flow Exporter to the Flow Monitor.

Step1: Configure Flow Record

flow record ipv4_record
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect ipv4 tos
 collect transport tcp source-port
 collect transport tcp destination-port
 collect transport tcp flags
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last

Step2: Configure Flow Exporter

flow exporter flow1
 description for vlan 1
 destination 10.4.2.13
 source Vlan1
 transport udp 9995
 template data timeout 60

Step3: Configure Flow Monitor

flow monitor main_monitor
 exporter flow1
 cache timeout active 30
 record ipv4_record

Step4: Applying an IPv4 Flow Monitor to an Interface

interface GigabitEthernet1/4
 ip flow monitor main_monitor input
end

Step5: Configure PRTG Server (10.4.2.13) to Receive the flow data on UDP port 9995

This Step is same as my previous post "Configure Netflow on network devices for PRTG Netflow Monitoring"

Add a new Sensor at this Switch Device and put Vlan 1 ip address into Sendor IP. Receive NetFlow Packets on UDP port is 9995.

Step 6: Verify:

CS#show flow interface g1/4
Interface GigabitEthernet1/4
  FNF:  monitor:          main_monitor
        direction:        Input
        traffic(ip):      on
CS#show flow monitor name main_monitor cache format record
  Cache type:                               Normal
  Cache size:                                 4096
  Current entries:                             451
  High Watermark:                             1024
  Flows added:                              681122
  Flows aged:                               680671
    - Active timeout      (    30 secs)      51744
    - Inactive timeout    (    15 secs)     628927
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0
IPV4 SOURCE ADDRESS:       10.31.51.9
IPV4 DESTINATION ADDRESS:  10.4.1.15
TRNS SOURCE PORT:          52034
TRNS DESTINATION PORT:     1352
IP PROTOCOL:               6
tcp source port:           52034
tcp destination port:      1352
tcp flags:                 0x18
interface input:           Gi1/4
interface output:          Gi10/24
counter bytes:             7060
counter packets:           20
timestamp first:           03:05:59.637
timestamp last:            03:06:24.637
ip tos:                    0x00



Notes:

1. The Flexible NetFlow in Cisco 4500 requires you to configure your own “record” since there are no predefined ones available like in some other IOS.
2. Interface Flow monitor output does not support on Cisco 4500 switch yet.
CS(config-if)#ip flow monitor main_monitor output
% Flow Monitor: 'main_monitor' could not be added to interface due to invalid sub-traffic type: 0
3. Traditional Netflow V5 and V9 configuration:
This feature is only available if the NetFlow Services Card (WS-F4531) is present. The modules can be viewed by executing the “show module” command.
For example:
Mod Submodule Model Serial No. Hw Status
----+-----------------------+-----------------+------------+----+---------
1 Netflow Services Card WS-F4531 JAB062209CG 0.2 Ok
2 Netflow Services Card WS-F4531 JAB062209AG 0.2 Ok

The basic command set is as follows:
ip flow ingress infer-fields
ip flow-cache timeout active 1
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination x.x.x.x 2059

Reference:

1. Configuring Flexible NetFlow Export on Cisco Routers
2. Cisco IOS Flexible NetFlow Technology Q&A
3. What is Flexible NetFlow part 1 of 3

6 comments:


  1. I actually enjoyed reading through this posting.Many thanks.

    Setup HP Envy

    ReplyDelete
  2. Is there a reason for duplicating the TCP source and destination ports in the flow record?

    ReplyDelete
    Replies
    1. Are you talking about following configuration?

      flow record ipv4_record
      match ipv4 protocol
      match ipv4 source address
      match ipv4 destination address
      match transport source-port
      match transport destination-port
      collect ipv4 tos
      collect transport tcp source-port
      collect transport tcp destination-port
      collect transport tcp flags
      collect interface input
      collect interface output
      collect counter bytes
      collect counter packets
      collect timestamp sys-uptime first
      collect timestamp sys-uptime last

      Delete
  3. This configuration gives a PRTG graph only for inbound traffica right? Is there a way for graph inbound and outbound traffic in the same graph?
    Regards.

    ReplyDelete
  4. Hello.
    I understand that this configuration gives a PRTG graphic for inbound traffic. Is there a way to graph inbound and outbound traffic in the same graph?

    Regards.

    ReplyDelete
    Replies
    1. Hi Starrk,
      To be honest, I am not sure if it is possible, but I doubt it is possible without any specific support from PRTG.

      Delete