latest stable
    version is 3.4.1rc1
    main     download     documentation     support     forum     development

Documentation

Releases

Knowledge base

Sample configurations

  

Cisco Netflow


Marshrutizatory of production Cisco Systems, in the contemporary versions of the operating system IOS, support the new method of control of routing packets, called NetFlow. Among entire other things, it gives the possibility to gather information about the statistics and to transfer to its peripheral device for the miscounting. Further information about NetFlow is contained here. Marshrutizator sends UDP-packets with the statistics to the the certain IP-adres/port, where NeTAMS can gather information and process it. The filtration of traffic in that case is impossible, since the sending of data achieves a peripheral device. On the concrete tuning netflow export it is possible to read a little here.

Besides routera Cisco, the flow of the data Netflow mozht to dispatch one their set of the existing collectors: fprobe, ng_.netflow, flowprobe, ipfw2netflow, ulog2netflow. Last three enter into delivery set NeTAMS.

Let us give an example of the commands of marshrutizatora: 
ip cef
!
ip flow-cache timeout inactive 60
ip flow-cache timeout active 10
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip route-cache flow
!
ip flow-export version 5
ip flow-export destination 192.168.1.254 20001
Processor data-source in the configurative file NeTAMS is tuned as follows: 
service data-source 1
type netflow
source 192.168.1.1
listen 20001
Complete configurative file is given here.
It is assumed that UDP-packets NetFlow go from marshrutizatora, which has IP-address 192.168.1.1, and enter local UDP-port number 20001 (it and it listens to NeTAMS).

IT IS IMPORTANT!
Regarding, NetFlow is considered only entering to router traffic. This causes considerations with the use of a translation of addresses. Actually, packets from the machines of internal network come to router and are considered correctly, but reverse answers from without act with address dst of external interface. Since the translation of addresses occurs after calculation, the statistics of entire entering traffic will contain the sum of entire traffic, which arrived to the address of external interface, and zero for the addresses of internal local network. For the correct calculation, you should use policy routing. The operating system established on routere must support this function. Here is the example to configuration for Cisco 2514: 
ip cef
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip route-cache policy
ip route-cache flow
!
interface Ethernet0
ip address 195.200.200.1 255.255.255.0
ip nat outside
ip route-cache policy
ip route-cache flow
ip policy route-map MAP
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip route-cache policy
ip route-cache flow
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip flow-export version 5
ip flow-export destination 192.168.1.254 20001
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any 192.168.1.0 0.0.0.255
route-map MAP permit 10
match ip address 101
set interface Loopback0
In the extra-heavy case, when in the presence on routere only one physical interface, and marshratizatsiya is achieved between two sabinterfeysami (on VLAN'ax), it is necessary to use double loopback. It is necessary to remember that in similar cases the packet penetrates software switching (but not CEF), which extremely negative affects productivity.

Although here another example - without VLAN, with two addresses on the interface: 
ip cef
!
interface Loopback1
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip route-cache flow
!
interface Loopback2
 ip address 192.168.30.1 255.255.255.0
 ip route-cache flow
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0 secondary
 ip address 212.69.119.62 255.255.255.192
 ip nat outside
 ip route-cache flow
 ip policy route-map MAPnew
 speed auto
 full-duplex
!
ip local policy route-map MAPnew
ip nat pool POOL 212.69.119.48 212.69.119.48 netmask 255.255.255.192
ip nat inside source list 2 pool POOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 212.69.119.1
ip flow-export version 5
ip flow-export destination 212.69.119.3 20001
no ip http server
!
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 3 permit 212.69.119.48
access-list 101 permit ip any 192.168.0.0 0.0.255.255
!
!
route-map MAPnew permit 10
 match ip address 2
 set interface Loopback1
!
route-map MAPnew permit 20
 match ip address 101
 set interface Loopback2

Рейтинг@Mail.ru