User Tools

Site Tools


training:itu-ipv6:5-netflow

IPv6 Security Lab - Netflow

Exploring Netflow


Netflow identifies anomalous and security-related network activity by tracking network flows. NetFlow data can be viewed and analysed via the command line interface (CLI), or the data can be exported to a commercial or freeware NetFlow collector for aggregation and analysis. NetFlow collectors, through long-term trending, can provide network behaviour and usage analysis. NetFlow functions by performing analysis on specific attributes within IP packets and creating flows. Version 5 is the most commonly used version of NetFlow, however, version 9 is more extensible and is required to support IPv6. NetFlow flows can be created using sampled traffic data in high-volume environments. Cisco Express Forwarding (CEF) is a prerequisite to enabling NetFlow.

NetFlow can be configured on routers and switches.  In older releases of Cisco IOS software, the command to enable NetFlow on an interface was:

ip route-cache flow

In newer releases of Cisco IOS (12.4 onwards), the command has been replaced by:

ip flow {ingress | egress}

The following configuration illustrates the basic configuration of this feature.

ip flow-export destination <ip-address> <udp-port>
ip flow-export version <version>
!
interface fastethernet 0/0 
 ip flow ingress
 ip flow egress
! 

The following is an example of NetFlow output from the  router command line interface. The SrcIf attribute can aid in traceback.

router#show ip cache flow
IP packet size distribution (26662860 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .741 .124 .047 .006 .005 .005 .002 .008 .000 .000 .003 .000 .001 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .001 .007   .039   .000   .000  .000  .000  .000   .000

IP Flow Switching Cache, 4456704 bytes
  55 active, 65481 inactive, 1014683 added
  41000680 ager polls, 0 flow alloc failures
  Active flows timeout in 2 minutes
  Inactive flows timeout in 60 seconds
IP Sub Flow Cache, 336520 bytes
  110 active, 16274 inactive, 2029366 added, 1014683 added to flow
  0 alloc failures, 0 force free
  1 chunk, 15 chunks added
  last clearing of statistics never

Protocol        Total   Flows  Packets  Bytes  Packets Active(Sec) Idle(Sec)
--------        Flows   /Sec    /Flow   /Pkt     /Sec     /Flow     /Flow
TCP-Telnet      11512    0.0      15      42      0.2      33.8      44.8
TCP-FTP          5606    0.0       3      45      0.0      59.5      47.1
TCP-FTPD         1075    0.0      13      52      0.0       1.2      61.1
TCP-WWW         77155    0.0      11     530      1.0      13.9      31.5
TCP-SMTP         8913    0.0       2      43      0.0      74.2      44.4
TCP-X             351    0.0       2      40      0.0       0.0      60.8
TCP-BGP           114    0.0       1      40      0.0       0.0      62.4
TCP-NNTP          120    0.0       1      42      0.0       0.7      61.4
TCP-other      556070    0.6       8     318      6.0       8.2      38.3
UDP-DNS        130909    0.1       2      55      0.3      24.0      53.1
UDP-NTP        116213    0.1       1      75      0.1       5.0      58.6
UDP-TFTP          169    0.0       3      51      0.0      15.3      64.2
UDP-Frag            1    0.0       1    1405      0.0       0.0      86.8
UDP-other       86247    0.1     226      29     24.0      31.4      54.3
ICMP            19989    0.0      37      33      0.9      26.0      53.9
IP-other          193    0.0       1      22      0.0       3.0      78.2
Total:        1014637    1.2      26      99     32.8      13.8      43.9

SrcIf    SrcIPaddress      DstIf    DstIPaddress     Pr    SrcP     DstP   Pkts
Gi0/1    192.168.128.21     Local   192.168.128.20   11    CB2B     07A       3
Gi0/1    192.168.150.60     Gi0/0   10.89.17.146     06    0016     101F     55 
Gi0/0    10.89.17.146       Gi0/1   192.168.150.60   06    101F     0016      9 
Gi0/1    192.168.150.60     Local   192.168.206.20   01    0000     0303     11 
Gi0/0    10.89.17.146       Gi0/1   192.168.150.60   06    07F1     0016      1

 

Netflow for IPv4


To get some practice, we will first turn on Netflow for IPv4. The IPv4 command set uses Cisco’s original Netflow configuration. For IPv6 flow information, we can only use Flexible Netflow, and we will try that out in the next section.

### Activating Netflow for IPv4

Each Group should turn on Netflow on the border router of their AS. To do this, simply go to the border interface and do something similar to this:

interface fastethernet 0/0
 ip flow ingress
 ip flow egress
! 

Once this has been running for a few minutes, commands like “show ip cache flow” will display output similar to that from the introduction above. To create traffic for Netflow to see, try some ICMPs, traceroutes, and even telnet or ssh to other routers in the lab. This will generate traffic, and the info will persist in Netflow’s cache for a few minutes.

### Top talkers in Netflow

Each team should also configure a set of top-talkers, to see what the busiest source and destinations are. Try this configuration:

ip flow-top-talkers
 top 20
 sort-by bytes 

This displays the top 20 talkers, sorting them in descending order of bytes transferred.

Try some of the other CLI options available under the ip flow-top-talkers configurations. There are many match options:

gw(config-flow-top-talkers)# match ?
  byte-range        Match a range of bytes
  class-map         Match a class
  destination       Match destination criteria
  direction         Match direction
  flow-sampler      Match a flow sampler
  input-interface   Match input interface
  nexthop-address   Match next hop
  output-interface  Match output interface
  packet-range      Match a range of packets
  protocol          Match protocol
  source            Match source criteria
  tos               Match TOS 

Try some of these and see what happens to the output.

Netflow for IPv6


Cisco IOS used to support IPv6 with standard Netflow. But this was only briefly the case in IOS 12.3 and 12.4. From 12.4T onwards, IPv6 support in Netflow was replaced by Flexible Netflow for IPv6 (it is also available for IPv4).

### Activating Netflow for IPv6

The configuration syntax for Flexible Netflow is somewhat different and a lot more sophisticated. First off we need to create Flow Monitors for our incoming and outgoing Netflow captures. Here is an example

flow monitor FLOW-MONITOR-V6-IN
 cache timeout active 300
 record netflow ipv6 original-input
!
flow monitor FLOW-MONITOR-V6-OUT
 cache timeout active 300
 record netflow ipv6 original-output
!

And then we apply these flow monitors to the interface we want to monitor:

interface FastEthernet0/0
 ipv6 flow monitor FLOW-MONITOR-V6-IN input
 ipv6 flow monitor FLOW-MONITOR-V6-OUT output
!

### Top talkers in Flexible Netflow

The top talkers in the Flexible Netflow configuration is somewhat different – there is no need to create a specific stanza to set up the top talkers as the router can simply display the top talkers from the command line. Here is an example

show flow monitor FLOW-MONITOR-V6-OUT cache aggregate \
ipv6 source address ipv6 destination address sort counter \
bytes top 20

This is all one command line and displays the top 20 talkers for outbound traffic, sorting them in descending order of bytes transferred. The command above can be modified to look at the inbound traffic also, by using the inbound flow monitor.

Summary


While this exercise has shown how to set up Netflow for both IPv4 and IPv6, it has a more serious aspect. It is possible for a network operator to very simply see what traffic is traversing their network. If it very easy to spot malicious activity, scanning, etc, simply by looking at the flow data and searching for particular signatures (tcp or udp ports, addresses, etc). This makes Netflow a valuable security tool for all network operators, whether they are running an IPv4-only network, or are dual stack IPv4 and IPv6.

Try some of the other CLI options available under the “show flow monitor” command.

 

training/itu-ipv6/5-netflow.txt · Last modified: 2016/05/22 19:10 by 127.0.0.1