Warning: Configuration of the Cisco device is your responsibility and you can potentially do damage to your device so please make backups of your router before making any changes. Commands can vary with different Versions of Cisco firmwares.
The traditional way is to mirror all traffic in its entirety on your switch for analysis. This requires an interface capable of speeds equivalent of the traffic you wish to monitor. NetFlow (and similar protocols) instead summarize and break traffic down for analysis resulting in much less data required.
In this blog I will set up NetFlow on a Cisco 2901 and configure it to export NetFlow in a very basic way (no security) to provide Netmon a remote view of a network at another location – on the other side of an internet connection.
These are the commands will be used:
snmp-server community public RO
ip flow-cache timeout active 1
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.10.1.50 9996
ip flow ingress
ip flow egress
How to configure Netflow
Let me show you where to put them. First elevate your privileges to configure the router.
# snmp-server community public RO
This enables the SNMP community string of ‘public’ and is Read Only. If you have already done this you can skip this step.
# ip flow-cache timeout active 1
This breaks up the NetFlow traffic into 1 minute blocks.
# ip flow-export source Vlan1
In Netmon Vlan1 will be the ip address the device has been configured. In my case this ip address is 10.66.0.2. The device in Netmon is configured as 10.66.0.2
# ip flow-export version 5
Netflow version 5 is the most common version of NetFlow used by many manufacturers of routers.
# ip flow-export destination 10.10.1.50 9996
10.10.1.50 is the private ip address of http://demo.netmon.ca and 9996 is the default port Netmon uses for NetFlow traffic.
User ID: demo
Next I have to decide which interface I wish to monitor. I could choose multiple. In my case I have Vlan 111 as a collector MPLS interface which represents all traffic for this network.
# interface Vlan111
# ip flow ingress
# ip flow egress
*Hold Control + Z*
Cisco2901# write mem
Everything is done on the Cisco Router. We move on to Netmon. Navigate to the ‘Devices’ tab of Netmon and click on “New Device”
The ip address we had chosen as a source which was Vlan 1 and the Read Only SNMP community string I configured as ‘public’
Click on the Network tab.
On the right side find the interface you are looking to view.
If you click on the interface here you will see a new window.
You can name this interface whatever you like. I select all 3 boxes.
You now know how to configure netflow on a Cisco device for Netmon. In a few minutes a graph on the front page will start populating. As it fills in you will see the breakdown of remote traffic summarized by NetFlow.
If we take a look at the impact NetFlow on the internet connection we see that it averages around 400 kbps. A common 5mbit/1mbit DSL connection can handle this traffic. Comparing that to to the traditional method of simply mirroring traffic this would not be possible as seen in previous graph where traffic is spiking up to 60.23 Mbps.
If you are a Managed Service Provider,you will inevitably have a customer whose IP subnet is the same as another customer. I have multiple customers on 192.168.1.0/24 network which is because Linksys defaults to this; however I just can’t change those networks subnet without hassle and downtime. For this demonstration we will be using Sonicwall.