Hello,
We have just started using Netflow to help us in detecting anomalous
traffic.
For testing we've configured our core router to export netflow data for
one VLAN, which I've been collecting using nfcapd. Along with the IN,
OUT and layer 2 traffic for this VLAN, for some reason I am getting
netflow data for traffic moving between other VLANs, and am a bit
confused as to why as they haven't been configured to export netflow
data. I've attached the configuration which we used on the router and
was wondering if anybody could shed a light as to why this was
happening?
Regards,
Sion
======================================================================
Sion Dafydd Technical Security Analyst
======================================================================
Tel: 029 2041 6222 Systems and Communications
Email: [EMAIL PROTECTED] Information Services Division
Web: www.uwic.ac.uk University of Wales Institute, Cardiff
======================================================================
!--- This enables NetFlow on the Supervisor.
switch(config)# mls netflow
switch(config)# mls nde sender version 7
!--- This breaks up long-lived flows into (roughly) one-minute segments.
switch(config)# mls aging long 64
!--- This ensures that flows that have finished are exported in a timely
manner.
switch(config)# mls aging normal 32
!-- If you have Supervisor Engine 720, you need to execute the below two
!-- commands to put the interface information in the netflow packets.
switch(config)# mls flow ip interface-full
switch(config)# mls nde interface
!--- The next two commands will help to enable NetFlow data export for bridged
!--- traffic which is optional. You can specify the list of VLANs here to enable
!--- bridged traffic.
router(config)# ip flow ingress layer2-switched vlan 101
router(config)# ip flow export layer2-switched vlan 101
!--- Now configure the routing module (MSFC) to enable netflow data export using
!--- the below commands.
!--- This command has to be executed on all the L3/VLAN interfaces.
router(config-if)# ip route-cache flow
!--- The hostname or IP address of the server where the collector is installed
router(config)# ip flow-export destination {ip_address} 9996
!--- The interface through which NetFlow packets are exported.
router(config)# ip flow-export source 101
router(config)# ip flow-export version 7
router(config)# ip flow-cache timeout active 1
router(config)# ip flow-cache timeout inactive 15
router(config)# snmp-server ifindex persist
!--- Note: Switch ports connected to a etherchannel or a trunk cannot be
!--- configured to export netflow data.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
