training:itu-ipv6:5-netflow
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | training:itu-ipv6:5-netflow [2016/05/22 19:10] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | IPv6 Security Lab - Netflow | ||
+ | =========================== | ||
+ | |||
+ | Exploring Netflow | ||
+ | ----------------- | ||
+ | |||
+ | Netflow identifies anomalous and security-related network activity by tracking network flows. NetFlow data can be viewed and analysed via the command line interface (CLI), or the data can be exported to a commercial or freeware NetFlow collector for aggregation and analysis. NetFlow collectors, through long-term trending, can provide network behaviour and usage analysis. NetFlow functions by performing analysis on specific attributes within IP packets and creating flows. Version 5 is the most commonly used version of NetFlow, however, version 9 is more extensible and is required to support IPv6. NetFlow flows can be created using sampled traffic data in high-volume environments. Cisco Express Forwarding (CEF) is a prerequisite to enabling NetFlow. | ||
+ | |||
+ | NetFlow can be configured on routers and switches. In older releases of Cisco IOS software, the command to enable NetFlow on an interface was: | ||
+ | |||
+ | |||
+ | ip route-cache flow | ||
+ | |||
+ | |||
+ | In newer releases of Cisco IOS (12.4 onwards), the command has been replaced by: | ||
+ | |||
+ | |||
+ | ip flow {ingress | egress} | ||
+ | |||
+ | |||
+ | The following configuration illustrates the basic configuration of this feature. | ||
+ | |||
+ | |||
+ | ip flow-export destination < | ||
+ | ip flow-export version < | ||
+ | ! | ||
+ | interface fastethernet 0/0 | ||
+ | ip flow ingress | ||
+ | ip flow egress | ||
+ | ! | ||
+ | |||
+ | |||
+ | The following is an example of NetFlow output from the router command line interface. The SrcIf attribute can aid in traceback. | ||
+ | |||
+ | |||
+ | router#show ip cache flow | ||
+ | IP packet size distribution (26662860 total packets): | ||
+ | 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 | ||
+ | .741 .124 .047 .006 .005 .005 .002 .008 .000 .000 .003 .000 .001 .000 .000 | ||
+ | | ||
+ | 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 | ||
+ | .000 .000 .001 .007 .039 .000 .000 .000 .000 .000 .000 | ||
+ | | ||
+ | IP Flow Switching Cache, 4456704 bytes | ||
+ | 55 active, 65481 inactive, 1014683 added | ||
+ | 41000680 ager polls, 0 flow alloc failures | ||
+ | Active flows timeout in 2 minutes | ||
+ | Inactive flows timeout in 60 seconds | ||
+ | IP Sub Flow Cache, 336520 bytes | ||
+ | 110 active, 16274 inactive, 2029366 added, 1014683 added to flow | ||
+ | 0 alloc failures, 0 force free | ||
+ | 1 chunk, 15 chunks added | ||
+ | last clearing of statistics never | ||
+ | | ||
+ | Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) | ||
+ | -------- Flows /Sec /Flow / | ||
+ | TCP-Telnet 11512 0.0 15 42 0.2 33.8 44.8 | ||
+ | TCP-FTP 5606 0.0 3 45 0.0 59.5 47.1 | ||
+ | TCP-FTPD 1075 0.0 13 52 0.0 1.2 61.1 | ||
+ | TCP-WWW 77155 0.0 11 530 1.0 13.9 31.5 | ||
+ | TCP-SMTP 8913 0.0 2 43 0.0 74.2 44.4 | ||
+ | TCP-X 351 0.0 2 40 0.0 0.0 60.8 | ||
+ | TCP-BGP 114 0.0 1 40 0.0 0.0 62.4 | ||
+ | TCP-NNTP 120 0.0 1 42 0.0 0.7 61.4 | ||
+ | TCP-other | ||
+ | UDP-DNS 130909 0.1 2 55 0.3 24.0 53.1 | ||
+ | UDP-NTP 116213 0.1 1 75 0.1 5.0 58.6 | ||
+ | UDP-TFTP 169 0.0 3 51 0.0 15.3 64.2 | ||
+ | UDP-Frag 1 0.0 1 1405 0.0 0.0 86.8 | ||
+ | UDP-other 86247 0.1 226 29 24.0 31.4 54.3 | ||
+ | ICMP 19989 0.0 37 33 0.9 26.0 53.9 | ||
+ | IP-other 193 0.0 1 22 0.0 3.0 78.2 | ||
+ | Total: | ||
+ | | ||
+ | SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts | ||
+ | Gi0/1 192.168.128.21 Local 192.168.128.20 11 CB2B 07A 3 | ||
+ | Gi0/1 192.168.150.60 Gi0/0 10.89.17.146 06 0016 101F 55 | ||
+ | Gi0/0 10.89.17.146 Gi0/1 192.168.150.60 06 101F 0016 9 | ||
+ | Gi0/1 192.168.150.60 Local 192.168.206.20 01 0000 0303 11 | ||
+ | Gi0/0 10.89.17.146 Gi0/ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | Netflow for IPv4 | ||
+ | ---------------- | ||
+ | |||
+ | To get some practice, we will first turn on Netflow for IPv4. The IPv4 command set uses Cisco’s original Netflow configuration. For IPv6 flow information, | ||
+ | |||
+ | ### Activating Netflow for IPv4 | ||
+ | |||
+ | Each Group should turn on Netflow on the border router of their AS. To do this, simply go to the border interface and do something similar to this: | ||
+ | |||
+ | |||
+ | interface fastethernet 0/0 | ||
+ | ip flow ingress | ||
+ | ip flow egress | ||
+ | ! | ||
+ | |||
+ | |||
+ | Once this has been running for a few minutes, commands like “show ip cache flow” will display output similar to that from the introduction above. To create traffic for Netflow to see, try some ICMPs, traceroutes, | ||
+ | |||
+ | ### Top talkers in Netflow | ||
+ | |||
+ | Each team should also configure a set of top-talkers, | ||
+ | |||
+ | |||
+ | ip flow-top-talkers | ||
+ | top 20 | ||
+ | | ||
+ | |||
+ | |||
+ | This displays the top 20 talkers, sorting them in descending order of bytes transferred. | ||
+ | |||
+ | Try some of the other CLI options available under the ip flow-top-talkers configurations. There are many match options: | ||
+ | |||
+ | |||
+ | gw(config-flow-top-talkers)# | ||
+ | byte-range Match a range of bytes | ||
+ | class-map Match a class | ||
+ | destination Match destination criteria | ||
+ | direction Match direction | ||
+ | flow-sampler Match a flow sampler | ||
+ | input-interface Match input interface | ||
+ | nexthop-address Match next hop | ||
+ | output-interface Match output interface | ||
+ | packet-range Match a range of packets | ||
+ | protocol Match protocol | ||
+ | source Match source criteria | ||
+ | tos Match TOS | ||
+ | |||
+ | |||
+ | Try some of these and see what happens to the output. | ||
+ | |||
+ | Netflow for IPv6 | ||
+ | ---------------- | ||
+ | |||
+ | Cisco IOS used to support IPv6 with standard Netflow. But this was only briefly the case in IOS 12.3 and 12.4. From 12.4T onwards, IPv6 support in Netflow was replaced by Flexible Netflow for IPv6 (it is also available for IPv4). | ||
+ | |||
+ | ### Activating Netflow for IPv6 | ||
+ | |||
+ | The configuration syntax for Flexible Netflow is somewhat different and a lot more sophisticated. First off we need to create Flow Monitors for our incoming and outgoing Netflow captures. Here is an example | ||
+ | |||
+ | |||
+ | flow monitor FLOW-MONITOR-V6-IN | ||
+ | cache timeout active 300 | ||
+ | | ||
+ | ! | ||
+ | flow monitor FLOW-MONITOR-V6-OUT | ||
+ | cache timeout active 300 | ||
+ | | ||
+ | ! | ||
+ | |||
+ | |||
+ | And then we apply these flow monitors to the interface we want to monitor: | ||
+ | |||
+ | |||
+ | interface FastEthernet0/ | ||
+ | ipv6 flow monitor FLOW-MONITOR-V6-IN input | ||
+ | ipv6 flow monitor FLOW-MONITOR-V6-OUT output | ||
+ | ! | ||
+ | |||
+ | |||
+ | ### Top talkers in Flexible Netflow | ||
+ | |||
+ | The top talkers in the Flexible Netflow configuration is somewhat different – there is no need to create a specific stanza to set up the top talkers as the router can simply display the top talkers from the command line. Here is an example | ||
+ | |||
+ | show flow monitor FLOW-MONITOR-V6-OUT cache aggregate \ | ||
+ | ipv6 source address ipv6 destination address sort counter \ | ||
+ | bytes top 20 | ||
+ | |||
+ | |||
+ | This is all one command line and displays the top 20 talkers for outbound traffic, sorting them in descending order of bytes transferred. The command above can be modified to look at the inbound traffic also, by using the inbound flow monitor. | ||
+ | |||
+ | Summary | ||
+ | ------- | ||
+ | |||
+ | While this exercise has shown how to set up Netflow for both IPv4 and IPv6, it has a more serious aspect. It is possible for a network operator to very simply see what traffic is traversing their network. If it very easy to spot malicious activity, scanning, etc, simply by looking at the flow data and searching for particular signatures (tcp or udp ports, addresses, etc). This makes Netflow a valuable security tool for all network operators, whether they are running an IPv4-only network, or are dual stack IPv4 and IPv6. | ||
+ | |||
+ | Try some of the other CLI options available under the “show flow monitor” command. | ||
+ | |||
+ | |||
training/itu-ipv6/5-netflow.txt · Last modified: 2016/05/22 19:10 by 127.0.0.1