EV Observe - Configure Netflow Monitoring Prerequisites

Last modified on 2022/11/25 18:31

Note: The configuration of network hosts for exporting NetFlow flows to the NetFlow collector will depend on each host. Contact your hardware integrator or vendor to find out more about the components to be set up.

The NetFlow protocol is a flow information export protocol used on network hosts for the real-time monitoring and analysis of network traffic. It uses the concept of flows to capture data on network behavior, such as network traffic source and destination, applications using the network and the bandwidth allocated to these applications.

NetFlow, developed by Cisco Systems, is now part of the Internet Engineering Task Force standard and its protocol is widely implemented by network equipment manufacturers, such as Juniper, Alcatel-Lucent, Nortel, as well as VMware and Linux servers. Its name can vary depending on the manufacturer, e.g. JFlow, NetStream, AppFlow, etc. 

To use service templates based on the NetFlow protocol, specific prerequisites must first be met.

  • You configure these prerequisites once only.
  • This is done in three steps:
    • Configure the NetFlow collector to receive information on network traffic
    • Configure the monitored network hosts to send NetFlow information to the collector
    • Check that NetFlow is working correctly

NetFlow network traffic monitoring: Operating principle

Display Steps
NetFlow collect data - Operating principle.png
  • (1) NetFlow exporters: Network hosts (e.g. routers, switches) where NetFlow is enabled collect network traffic statistics and export them to the NetFlow collector in nfcapd files.
  • (2) NetFlow collector (NetFlow Collector Storage): This collects the records sent by NetFlow exporters and stores them in the local database.
  • (3) Box: This retrieves information from the NetFlow collector.
  • (4) Monitoring platform: This analyzes NetFlow data collected by the Boxes using the NetworkAnalysis-NetFlow service template. This displays data in a dashboard and sends alerts in the event of errors or malfunctioning in network peripherals.

Notes

  • You can configure up to two NetFlow flow export destinations on each network host.
  • To implement NetFlow monitoring, you must define a listening port for each interface to be monitored. You must create an access control list (ACL) for each of the ports to authorize connection between the collector and the listening port.

Caution


Determine sizing requirements for the NetFlow collector

Failed to execute the [include] macro. Cause: [Current user [null] doesn't have view rights on document [wiki:Drafts.EV Observe - All Menus.EV Observe - Collect Overview.EV Observe - Collect Prerequisites - sFlow NetFlow - Common Text.WebHome]]. Click on this message for details.

Best Practice

  • Create a single destination folder for NetFlow flow exports. In this folder, you can create one subfolder for each network interface to be monitored by NetFlow.
  • To identify the flow export subfolders easily, you should name them using the host name and its IP address.

example  

  • Destination folder ==> /network_analysis/netflow/
  • Export folder for Router A ==> /network_analysis/netflow/RouterA_172.16.10.2
  • Export folder for Router B ==> /network_analysis/netflow/RouterB_192.16.80.1

Procedure: How to configure NetFlow monitoring prerequisites

Step 1: Configure the NetFlow collector

Failed to execute the [include] macro. Cause: [Current user [null] doesn't have view rights on document [wiki:Drafts.EV Observe - All Menus.EV Observe - Collect Overview.EV Observe - Collect Prerequisites - sFlow NetFlow - Common Text.WebHome]]. Click on this message for details.

Step 2: Configure the network hosts

Note: The configuration of network hosts for exporting flows to the NetFlow collector will depend on each host. The procedure includes an example for a Cisco switch/router using the version 9 export format. For other hosts, contact your hardware integrator or vendor to find out more about the components to be set up.

General procedure

1. Log in to the network host where you want to enable NetFlow and enter privileged exec mode.

2. Perform the steps below to configure NetFlow for the network host.

  • Enter configuration mode for the network interface.
  • Specify the destination for NetFlow flows, i.e. IP address or host name, and UDP port of the NetFlow collector.
    Note: Repeat the procedure to configure a second NetFlow flow export destination. You can configure up to two destinations.
  • Specify the NetFlow version to be used.
  • Enable NetFlow on the network interface and specify whether you want to capture traffic received by the interface (ingress), or retrieve traffic sent by the interface (egress).
  • Exit configuration mode for the network interface.
    Note: Repeat the configuration procedure to select and enable NetFlow on each network interface to be monitored.

3. Exit global configuration mode to return to privileged exec mode.

4. Check that NetFlow is correctly configured on the network host.
         Open url.png See NetFlow collector configuration errors
 

Example: Configure a Cisco switch using the version 9 export format

          Open url.png See Cisco network host configuration examples

  • Log in to the Cisco switch and run the command below to enter privileged exec mode.

Router# enable

  • Run the command below to enter configuration mode for the Cisco switch.

Router# configure terminal

  • Run the command below to specify the destination of NetFlow flows.
    Replace:
    • <IP Address> with the IP address of the NetFlow collector or <Hostname> with the host name of the collector
    • <UDP Port> with the UDP port of the collector

Router(config)# ip flow-export destination <IP Address> | <Hostname> <UDP Port>

example  Router(config)# ip flow-export destination 172.16.10.2 9995

  • Run the command below to specify the NetFlow version to be used.
    Replace <NetFlow Version> with the version number.

Router(config)# ip flow-export version <NetFlow Version>

example  Version 9 (last version) ==> Router(config)# ip flow-export version 9

  • Enable NetFlow on the Cisco switch.
    • Run the command below to select the switch.
      Replace:
      • <Interface Type> with the type of network interface
      • <Interface Slot> with the network interface slot
      • <Interface Port> with the network interface port

    Router(config)# interface <Interface Type> <Interface Slot>/<Interface Port>

    example  Ethernet interface, slot 0 and port 0 ==> Router(config)# Ethernet interface0/0

    • Indicate whether you want to enable NetFlow on the switch for inbound traffic (ingress) or outbound traffic (egress). Run one of the commands below.

    Router(config-if)# ip flow egress

    Router(config-if)# ip flow ingress

    example  Enable for inbound traffic ==> Router(config-if)# ip flow ingress

    • Run the command below to exit configuration mode for the switch.

    Router(config-if)# exit

  • Check that NetFlow is correctly configured on the Cisco switch.
    • Run the command below to exit global configuration mode to return to privileged exec mode.

    end

    • Run the command below to check the NetFlow configuration parameters for the switch.

    (config)# show ip flow interface

    example   The following results will be displayed. ==> Ethernet0/0 ip flow ingress

     

Step 3: Check that the NetFlow collector is working correctly

1. Run the command below to check that NetFlow data is correctly cached.

(config)# show ip cache flow

example  The following results will be displayed.

IP packet size distribution (1103746 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  35 active, 4061 inactive, 980 added
  2921778 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 21640 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-FTP            108      0.0      1133    40      2.4    1799.6       0.9
TCP-FTPD           108      0.0      1133    40      2.4    1799.6       0.9
TCP-WWW             54      0.0      1133    40      1.2    1799.6       0.8
TCP-SMTP            54      0.0      1133    40      1.2    1799.6       0.8

2. Run the command below to display a summary of NetFlow flow export statistics, as well as statistics for the main cache and other enabled caches. Check that the IP address and UDP port of the collector are correct.

(config)# show ip flow export

example  The following results will be displayed.

Flow export v9 is enabled for main cache
  Exporting flows to 172.16.10.2 (9995) (ip/port udp du Netflow collector storage)
  Exporting using source interface Ethernet0/0
  Version 9 flow records
  0 flows exported in 0 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

3. Check that the flows exported from each network interface are stored correctly in the NetFlow collector.

  • Log in to the NetFlow collector.
  • Go to the folder dedicated to the storage of nfcapd exports for the network interface.
  • Check the presence of files greater than 276 bytes in the following format, nfcapd.YYYYMMddhhmm. To do so, run the command below.
    Replace <Export Directory> with the destination folder for NetFlow exports.

ll  /home/coadmin/network_analysis/<Export Directory>

Caution:

  • nfcapd files are periodically created by the sfcapd process even if no data is loaded by NetFlow exporters. In this case, their size is 276 bytes.
  • To ensure that the NetFlow configuration is operational, you must therefore check that file sizes are greater than 276 bytes. This means that they contain data loaded by NetFlow exporters.

example  

  • Export folder /network_analysis/netflow/RouterA_172.16.10.2
  • Presence of files greater than 276 bytes in the following format, nfcapd.202209181140

4. Go over the steps for configuring NetFlow in the event of an error.

          Open url.png See NetFlow collector configuration errors
 

Step 4: Configure the NetworkAnalysis-NetFlow service template

1. Deploy one service for each application, source IP and destination IP to be monitored by NetFlow.

          Open url.png See the detailed procedure
 

Step 5: Set up monitoring for the NetFlow collector

1. You can use the following service templates.

  • LIN-DirectorySize: Used to monitor the size of destination folders.
  • Lin-ProcessName: Used to monitor that sfcapd processes are running correctly.

NetFlow collector configuration errors

If there is a configuration error in the NetFlow collector, you should check the points below. If the problem persists, you should declare an incident on the EasyVista Support site.

Access control list (ACL) for the network interface
Note: The ACL authorizes connection between the collector and the interface listening port.

  • Check that the listening port is enabled in a firewall rule. This was normally defined during setup. To do so, run the command below.

iptables -L

  • In the event of an error, run the commands below to create the rule.
    Replace <Listening Port> with the network interface listening port.

sudo su –
iptables -A INPUT -p udp  –dport <Listening Port> -j ACCEPT
/etc/init.d/iptables.sh restart

 

NetFlow export destination folder for a network interface
Note: By default, the installer will create NetFlow export destination folders for a network interface in the folder called /home/coadmin/network_analysis.

  • Run the commands below to check that the folder specified during setup was correctly created.
    Replace <Export Directory> with the destination folder for NetFlow exports.

sudo su –
ll /home/coadmin/network_analysis/<Export Directory>

  • If the folder is missing, run the commands below to create it.
    Replace <Export Directory> with the destination folder for NetFlow exports.

sudo su –
mkdir /home/coadmin/network_analysis/<Export Directory>
chmod -R 777 /home/coadmin/network_analysis/<Export Directory>
chown coadmin:coadmin /home/coadmin/network_analysis/<Export Directory>

NetFlow process

  • Run the command below to check that the NetFlow process is running on the listening port and the destination folder specified during setup.

ps -aux | grep nfcapd

  • If the process is stopped, run the commands below to start it.
    Replace:
    • <Export Directory> with the destination folder for NetFlow exports
    • <Listening Port> with the listening port

sudo su –
nfcapd -w -D -l /home/coadmin/network_analysis/<Export Directory> -p <Listening Port>

 

Initialization file for restarting the NetFlow process when the NetFlow collector is restarted

  • Run the commands below to check that the configuration of the initialization file for restarting the NetFlow process is correct.

sudo su –
ll /etc/rc0.d/

  • If there is an error, you should contact the EasyVista Support team.
     

Cron task for monitoring the NetFlow process
Note: The installer creates a cron task that will run a command to check the NetFlow process every minute. This task will also run a command to restart the process if required.

  • Run the command below to check that the cron task was correctly created.

crontab -l

  • If there is an error, you should contact the EasyVista Support team.
     

Delete task and data retention period
Note: Export data will be deleted based on the data retention period specified during setup.

  • Run the command below to check that the delete task was correctly created.

more /usr/local/nagios/libexec/nfcapd_deleteCache.sh

  • If the result returned or if the data retention period does not correspond to the value specified during setup, you should contact the EasyVista Support team.
     

nfcapd files for exporting flows to the collector
Note:

  • nfcapd files are generated by the nfcapd process and constantly written by NetFlow exporters. File sizes must be greater than 276 bytes. This means that they contain data loaded by NetFlow exporters.
  • If file sizes are equal to 276 bytes, this means that they do not contain any data.
     
  • Run the commands below to check that nfcapd files are present on the collector.
    Replace <Export Directory> with the destination folder for NetFlow exports.

sudo su –
ll /home/coadmin/network_analysis/<Export Directory>

  • Run the commands below to check that the files contain data for a network interface.
    Replace:
    • <Interface Name> with the name of the interface
    • <Exporter IP Address> with the IP address of the NetFlow exporter

sudo su –
tcpdump -i <Interface Name> src <Exporter IP Address>

example  tcpdump -i ens160 src 192.168.238.156

  • If the specified port does not display any information on the connection between the NetFlow exporter and collector, you should contact the EasyVista Support team.

Cisco network host configuration examples

Configure a Cisco host using the version 9 export format

Router# enable
Router# configure terminal
Router(config)# ip flow-export version 9
Router(config)# ip flow-export destination {ip-address | hostname} udp-port
Router(config)# ip flow-export source f0/1
Router(config)# interface-type interface-number
Router(config-if)# ip flow {egress | ingress}
Router(config-if)# exit

Configure Cisco Catalyst 2960-X

Cisco Catalyst 2960-X uses flow sampling without any form of packet capture. There are two types of NetFlow Lite sampling configurations on Cisco Catalyst 2960-X:

  • Deterministic sampling: Deterministic samplers sample packets exactly as specified, i.e. the first flow out of every 100 flows. Deterministic samplers can only be applied on a maximum of four interfaces.
  • Random sampling: Random sampling samples a random flow out of every X flows. The maximum sampling rate for both deterministic and random sampling is one out of 32. It is not limited to four interfaces like deterministic sampling.
     

Example of a configuration with random sampling

step 1: create a flow record
flow record flows
match datalink mac source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect flow sampler
! below I specified ‘long’ because the 2960x supports 64 bit counters
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
! step 2: create a flow exporter
flow exporter export-to-inside
description flexible NF v9
destination 10.1.1.1
source Vlan7
transport udp 2055
template data timeout 60
!
! lets export some cool option templates
option interface-table
option exporter-stats
option sampler-table
!
!
! step 3: create a flow monitor
flow monitor nftest
record flows
exporter export-to-inside
cache timeout active 60
statistics packet protocol!Below was used for the deterministic sampling configuration
! that I didn’t like because of the 4 interface limitation
! sampler full
! mode deterministic 1 out-of 32
!
! below is the random sampler configuration that I replaced
! the above with.
sampler my-random-sampler
!
!
!
! step 4: apply the flow monitor ‘nftest’ to each interface with
! the defined sampler ‘my-random-sampler’
! input is for ingress. Egress was not supported in this release…
interface GigabitEthernet1/0/1
ip flow monitor nftest sampler my-random-sampler inputmode random 1 out-of 100

Configure Cisco Catalyst 3750-X

The configuration of Cisco Catalyst 3750-X requires you to implement the 3KX network module in order to support NetFlow V9 and Flexible NetFlow.

Example of a flow record for the 3KX network module

match datalink mac source-address
match datalink mac destination-address
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input snmp
collect interface output snmp
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last On interfaces:TenGigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NetFlow input
ip flow monitor NetFlow output Interface TenGigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NetFlow input
ip flow monitor NetFlow output

Configure Cisco Catalyst 4500

          Open url.png See the configuration

Configure Cisco Catalyst 4510

Example of a configuration

FLOW RECORD
flow record RECORD-IN
description IPv4 NetFlow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match mac destination-address
match mac source-address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow record RECORD-OUT
description IPv4 NetFlow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
collect interface input
collect counter bytes long
collect counter packets long
!
!
flow exporter NETFLOW COLLECTOR
description xxxxx NETFLOW COLLECTOR
destination IP
source Loopback0
transport udp 2055
!
!
flow monitor MONITOR_IN
description xxxx
exporter Scrutinizer
cache timeout active 60
record RECORD-IN
!
!
flow monitor MONITOR_OUT
description xxxxxxxx
exporter Scrutinizer
cache timeout active 60
record RECORD-OUT
interface GigabitEthernet3/2
description xxxxx
no switchport
bandwidth 40960
ip flow monitor MONITOR_IN  layer2-switched input

Configure Cisco Catalyst 6500/6000

          Open url.png See the configuration

Configure Cisco Catalyst 6509

Example of a configuration

ip flow-export source (insert interface name here)
ip flow-export version 9
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X)ip flow-cache timeout active 1mls nde sender version 9
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64Interface configuration:ip route-cache flowip flow ingress

Configure Cisco Nexus 1000V Series

          Open url.png See the configuration

Configure Cisco Nexus 7000 Series

          Open url.png See the configuration

Tags:
Powered by XWiki © EasyVista 2022