User Tools

Site Tools


training:itu-ipv6:5-netflow

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

training:itu-ipv6:5-netflow [2016/05/22 09:10] (current)
Line 1: Line 1:
 +IPv6 Security Lab - Netflow
 +===========================
 +
 +Exploring Netflow
 +-----------------
 +
 +Netflow identifies anomalous and security-related network activity by tracking network flows. NetFlow data can be viewed and analysed via the command line interface (CLI), or the data can be exported to a commercial or freeware NetFlow collector for aggregation and analysis. NetFlow collectors, through long-term trending, can provide network behaviour and usage analysis. NetFlow functions by performing analysis on specific attributes within IP packets and creating flows. Version 5 is the most commonly used version of NetFlow, however, version 9 is more extensible and is required to support IPv6. NetFlow flows can be created using sampled traffic data in high-volume environments. Cisco Express Forwarding (CEF) is a prerequisite to enabling NetFlow.
 +
 +NetFlow can be configured on routers and switches.  In older releases of Cisco IOS software, the command to enable NetFlow on an interface was:
 +
 +
 +  ip route-cache flow
 +
 +
 +In newer releases of Cisco IOS (12.4 onwards), the command has been replaced by:
 +
 +
 +  ip flow {ingress | egress}
 +
 +
 +The following configuration illustrates the basic configuration of this feature.
 +
 +
 +  ip flow-export destination <​ip-address>​ <​udp-port>​
 +  ip flow-export version <​version>​
 +  !
 +  interface fastethernet 0/0 
 +   ip flow ingress
 +   ip flow egress
 +  ! 
 +
 +
 +The following is an example of NetFlow output from the  router command line interface. The SrcIf attribute can aid in traceback.
 +
 +
 +  router#show ip cache flow
 +  IP packet size distribution (26662860 total packets):
 +     1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
 +     .741 .124 .047 .006 .005 .005 .002 .008 .000 .000 .003 .000 .001 .000 .000
 +  ​
 +      512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
 +     .000 .000 .001 .007   .039   .000   .000  .000  .000  .000   .000
 +  ​
 +  IP Flow Switching Cache, 4456704 bytes
 +    55 active, 65481 inactive, 1014683 added
 +    41000680 ager polls, 0 flow alloc failures
 +    Active flows timeout in 2 minutes
 +    Inactive flows timeout in 60 seconds
 +  IP Sub Flow Cache, 336520 bytes
 +    110 active, 16274 inactive, 2029366 added, 1014683 added to flow
 +    0 alloc failures, 0 force free
 +    1 chunk, 15 chunks added
 +    last clearing of statistics never
 +  ​
 +  Protocol        Total   Flows  Packets  Bytes  Packets Active(Sec) Idle(Sec)
 +  --------        Flows   /Sec    /Flow   /​Pkt     /​Sec     /​Flow     /Flow
 +  TCP-Telnet      11512    0.0      15      42      0.2      33.8      44.8
 +  TCP-FTP          5606    0.0       3      45      0.0      59.5      47.1
 +  TCP-FTPD         1075    0.0      13      52      0.0       1.2      61.1
 +  TCP-WWW         77155    0.0      11     530      1.0      13.9      31.5
 +  TCP-SMTP         8913    0.0       2      43      0.0      74.2      44.4
 +  TCP-X             351    0.0       2      40      0.0       0.0      60.8
 +  TCP-BGP           114    0.0       1      40      0.0       0.0      62.4
 +  TCP-NNTP          120    0.0       1      42      0.0       0.7      61.4
 +  TCP-other     ​ 556070    0.6       8     318      6.0       8.2      38.3
 +  UDP-DNS        130909    0.1       2      55      0.3      24.0      53.1
 +  UDP-NTP        116213    0.1       1      75      0.1       5.0      58.6
 +  UDP-TFTP          169    0.0       3      51      0.0      15.3      64.2
 +  UDP-Frag            1    0.0       1    1405      0.0       0.0      86.8
 +  UDP-other       86247    0.1     226      29     24.0      31.4      54.3
 +  ICMP            19989    0.0      37      33      0.9      26.0      53.9
 +  IP-other          193    0.0       1      22      0.0       3.0      78.2
 +  Total: ​       1014637    1.2      26      99     32.8      13.8      43.9
 +  ​
 +  SrcIf    SrcIPaddress      DstIf    DstIPaddress     Pr    SrcP     DstP   Pkts
 +  Gi0/1    192.168.128.21     Local   192.168.128.20   11    CB2B     07A       3
 +  Gi0/1    192.168.150.60     Gi0/0   10.89.17.146     06    0016     101F     55 
 +  Gi0/0    10.89.17.146       Gi0/1   192.168.150.60   06    101F     0016      9 
 +  Gi0/1    192.168.150.60     Local   192.168.206.20   01    0000     0303     11 
 +  Gi0/0    10.89.17.146       Gi0/​1   192.168.150.60   06    07F1     0016      1
 +
 +
 + 
 +
 +Netflow for IPv4
 +----------------
 +
 +To get some practice, we will first turn on Netflow for IPv4. The IPv4 command set uses Cisco’s original Netflow configuration. For IPv6 flow information,​ we can only use Flexible Netflow, and we will try that out in the next section.
 +
 +### Activating Netflow for IPv4
 +
 +Each Group should turn on Netflow on the border router of their AS. To do this, simply go to the border interface and do something similar to this:
 +
 +
 +  interface fastethernet 0/0
 +   ip flow ingress
 +   ip flow egress
 +  ! 
 +
 +
 +Once this has been running for a few minutes, commands like “show ip cache flow” will display output similar to that from the introduction above. To create traffic for Netflow to see, try some ICMPs, traceroutes,​ and even telnet or ssh to other routers in the lab. This will generate traffic, and the info will persist in Netflow’s cache for a few minutes.
 +
 +### Top talkers in Netflow
 +
 +Each team should also configure a set of top-talkers,​ to see what the busiest source and destinations are. Try this configuration:​
 +
 +
 +  ip flow-top-talkers
 +   top 20
 +   ​sort-by bytes 
 +
 +
 +This displays the top 20 talkers, sorting them in descending order of bytes transferred.
 +
 +Try some of the other CLI options available under the ip flow-top-talkers configurations. There are many match options:
 +
 +
 +  gw(config-flow-top-talkers)#​ match ?
 +    byte-range        Match a range of bytes
 +    class-map         Match a class
 +    destination       Match destination criteria
 +    direction         Match direction
 +    flow-sampler      Match a flow sampler
 +    input-interface   Match input interface
 +    nexthop-address   Match next hop
 +    output-interface  Match output interface
 +    packet-range      Match a range of packets
 +    protocol          Match protocol
 +    source            Match source criteria
 +    tos               Match TOS 
 +
 +
 +Try some of these and see what happens to the output.
 +
 +Netflow for IPv6
 +----------------
 +
 +Cisco IOS used to support IPv6 with standard Netflow. But this was only briefly the case in IOS 12.3 and 12.4. From 12.4T onwards, IPv6 support in Netflow was replaced by Flexible Netflow for IPv6 (it is also available for IPv4).
 +
 +### Activating Netflow for IPv6
 +
 +The configuration syntax for Flexible Netflow is somewhat different and a lot more sophisticated. First off we need to create Flow Monitors for our incoming and outgoing Netflow captures. Here is an example
 +
 +
 +  flow monitor FLOW-MONITOR-V6-IN
 +   cache timeout active 300
 +   ​record netflow ipv6 original-input
 +  !
 +  flow monitor FLOW-MONITOR-V6-OUT
 +   cache timeout active 300
 +   ​record netflow ipv6 original-output
 +  !
 +
 +
 +And then we apply these flow monitors to the interface we want to monitor:
 +
 +
 +  interface FastEthernet0/​0
 +   ipv6 flow monitor FLOW-MONITOR-V6-IN input
 +   ipv6 flow monitor FLOW-MONITOR-V6-OUT output
 +  !
 +
 +
 +### Top talkers in Flexible Netflow
 +
 +The top talkers in the Flexible Netflow configuration is somewhat different – there is no need to create a specific stanza to set up the top talkers as the router can simply display the top talkers from the command line. Here is an example
 +
 +  show flow monitor FLOW-MONITOR-V6-OUT cache aggregate \
 +  ipv6 source address ipv6 destination address sort counter \
 +  bytes top 20
 +
 +
 +This is all one command line and displays the top 20 talkers for outbound traffic, sorting them in descending order of bytes transferred. The command above can be modified to look at the inbound traffic also, by using the inbound flow monitor.
 +
 +Summary
 +-------
 +
 +While this exercise has shown how to set up Netflow for both IPv4 and IPv6, it has a more serious aspect. It is possible for a network operator to very simply see what traffic is traversing their network. If it very easy to spot malicious activity, scanning, etc, simply by looking at the flow data and searching for particular signatures (tcp or udp ports, addresses, etc). This makes Netflow a valuable security tool for all network operators, whether they are running an IPv4-only network, or are dual stack IPv4 and IPv6.
 +
 +Try some of the other CLI options available under the “show flow monitor” command.
 +
 + 
  
training/itu-ipv6/5-netflow.txt · Last modified: 2016/05/22 09:10 (external edit)