Exporting NetFlow on Cisco Routers and Switches

A lot more Network Security Monitoring (NSM) products these days (Freeware and Open-source Applications & Commercial Applications) are capable of receiving NetFlow from routing and switching devices. Configuring the export of these flow records are not the most straightforward task as the steps differ between device models. This article will explain the basics behind configuring NetFlow on various Cisco devices:

Perform the steps in this required task to configure Netflow and Netflow Data Export:

1) In global configuration
– ip flow-export source |interface|
– ip flow-export version |number|
– ip flow-cache timeout active 1
– ip flow-export destination |ip| |port|

Where:
|interface| – is the interface you want your NetFlow export to originate from
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on

2) In the interface configuration mode of each major interface (not sub-interface) you must run the following command:
– ip route-cache flow

Perform the following steps if using Cisco 4000/4500 switches

1) Commands for enabling NetFlow:
– ip flow-export destination |ip| |port|
– ip flow-export version |number|
– ip flow-export source |interface|
– ip flow-cache timeout active 1
– ip route-cache flow infer-fields

Where:
|interface| – is the interface you want your NetFlow export to originate from
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on

Note – You will not enter the ip route-cache flow command on each interface. Also the 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.

Perform the following steps if using Catalyst 6500 Switches

On Catalyst 6500 switches, there are two fundamentally different operating systems or modes that can be used: Native and Hybrid. Regardless of mode, in order to run NetFlow the switch must comply with the below table as far as Supervisor Engine and operating system level.

A Catalyst 6500 in Native mode provides the best NetFlow data because it correlates the switch port information to the VLAN information. For sizing purposes, this means that the customer only needs to count the VLANs on the switch toward the total interface count.

A Catalyst 6500 in Hybrid mode provides NetFlow data but does not correlate the switch port information to the VLAN information. For sizing purposes, this means that the customer must count both the VLANs and the individual switch ports toward the total interface count. Either Native or Hybrid mode will work with NetFlow, but the number of interfaces monitored is drastically increased in Hybrid mode.

1) To configure a SupII (Native) with an 12.1(13)E3 IOS version:
– mls nde sender version |number|
– mls flow ip interface-full
– mls nde interface

2) To configure a SupII (Hybrid) with a 7.6.1 CatOS and 12.1(13)E3 IOS version (on the CatOS side):
– set mls flow full
– set mls nde |ip| |port|
– set mls nde version |number|
– set mls nde enable

Where:
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on

Note – The above commands are in addition to the required NetFlow commands ‘ip flow-export’ and ‘ip route-cache flow’. SupII in Hybrid commands are CatOS side.

Perform the following steps if using Cisco 7600 switches in native mode

1) If running in native mode make sure the following commands are set:
– mls nde sender version |number|
– mls flow ip interface-full
– mls aging long 64
– ip flow-export source |interface|
– ip flow-export version |number|
– ip flow-export destination |ip| |port|
– snmp-server ifindex persist

Where:
|interface| – is the interface you want your NetFlow export to originate from
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on

2) For each interface:
– ip route-cache flow

Problems with flexwan feature card modules for 6500 and 7600 routers

If you have a 6500 or 7600 Cisco series router running in hybrid mode with flexwan feature cards the interface reporting may not be accurate. It is likely that will discover that not all interfaces on your Cisco 6500 or 7600 router are reporting data to QRadar. It is also possible that the interfaces that do show data in Network Surveillance do not appear to be accurate.

In conversations with Cisco TAC, NetFlow is being sent correctly from the router, however the NetFlow datagrams contain inaccurate IFIndex values. This causes problems with data reporting.

Ergonomic Keyboard for Pirates

pirateIn honour of Talk Like A Pirate Day (yesterday) I found the following article which is hilarious.

Giving Up PS3 Cycles (And Network Security) for Research…

I noticed an interesting article on Slashdot today which talks about how Sony has partnered with Stanford University’s Folding@Home project to “harness the PS3’s technology to help study how proteins are formed in the human body and how they sometimes form incorrectly.”

This worries me for the following reasons:

  1. The main goal is to use the PS3’s spare CPU cycles to crunch numbers. From the CNN.com story:

    To participate, users will just download a program into the PS3’s hard drive. Then they just need to leave the machine on when they’re not playing. The Folding@home team will divide their complex calculations into manageable chunks and then send it to the participating machines. The program and data will take up 10 to 20 megabytes – or about the size of a handful of MP3 files, [Vijay] Pande said.

    With that being said how long before I receive a nasty email from my service provider detailing the ‘malicious activity’ seen from my assigned IP range?

  2. This FAQ entry:

    Is it safe?
    From FaHWiki

    The Folding@home client and distributed computing service is no less safe than other programs that you can download from the internet and run on your computer. Because security of the FAH client is very important to the Pande Group, they have designed the FAH to be as secure as feasible through encrypted downloads/uploads, file checksums, etc. FAH should not reduce the security of your computer.

    I don’t know about you but the “no less safe than other programs that you can download from the internet and run on your computer” quote scares the hell out of me. So they know that it’s maybe, sorta, probably safe but no less safe then say a Trojan, Rootkit, or Virus. “Sure, I’m sold….let’s install it on everything I own.”

  3. And this FAQ entry:

    FAH & Trojans
    From FaHWiki
    Jump to: navigation, search

    Every DC project has trojans/trojanized clients floating around the cyberspace and FAH is not an exception. There is currently around 4..6 known outbrakes of modified clients.

    But not to worry these all will be seen at some point and will be dealt with. Download new clients from the official Stanford page only.

    So let me get this straight…you know that there are Trojanized clients out there…and you don’t care….so we shouldn’t care….and these aren’t the droids we’re looking for? OK, so I’ll just hold my breath and by the time I regain consciousness everything will be all puppy dogs and ice cream.

I think I’m going to have to pass on running this DC client. Maybe I can just ESP them some good Karma or something instead.

Scroll to top