How to use Netflow for Increased Visibility Into Your Network Part 1

by Karl Tatgenhorst on February 18, 2011

Today, I wanted to discuss how to use netflow for increased network visibility. We have already looked at how to design a network that allows increased visibility, now we need to leverage those design strengths. Netflow is a protocol designed by Cisco to collect and store IP traffic information. The information is used by major ISPs to facilitate billing and QOS monitoring. Additionally, and more importantly to us, it can be used to search for traffic anomalies and to identify security incidents.

Netflow is available from a variety of layer 3 devices, but we are going to talk specifically about capturing netflow data from Cisco devices. First we need to set up the device to do a netflow export (here is a great post on ingress or egress netflow analysis) we are going to assume that we want both ingress and egress enabled.

Here are the commands to configure a Cisco router for both ingress and egress flows:

Router > enable
Router#: configure terminal
! send NetFlow off to the collector – Scrutinizer
Router(config)# ip flow-export destination
! lets send NetFlow off to a 2nd collector
Router(config)# ip flow-export destination
! You have to setup Flexible NetFlow to export to more than two destinations
! Lets export NetFlow v9 as NetFlow v5 doesn’t support egress NetFlows
Router(config)# ip flow-export version 9
! summarize and export long lived flows every minute
Router(config)# ip flow-cache timeout active 1
! export flows that are idle 15 seconds or more
Router(config)# ip flow-cache timeout inactive 15
! export the NetFlow data from the configured loopback interface.
Router(config)# ip flow-export source loopback 0
! lets go enable NetFlow on each interface we want NetFlow from
! lets configure the first interface
Router(config)# interface Ethernet 0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! change to a different interface
Router(config)# interface Ethernet 0/1
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! commit the above to memory if you want to keep the configuration

The above assumes that you have enough knowledge of your Cisco device to determine things that need personalized (collector address, interfaces etc…). Now that we have the device exporting flow data, we will look at examples of analysis (we will address setting up a collector in the next post, this was just to give an idea of how to use netflow).
When you first get netflow up and running somewhere on your network, you should use whatever tool you decide to use for analysis to start building a profile of what is normal behavior on your network. I like open source tools so I prefer to use the OSU Flow Tools package for collection and analysis complemented by the Flow Extract package. To build a baseline of what your machines might do, build basic versions of workstations, webservers, database servers etc… build as much as you can and profile each one individually. Watch what happens to the flows as you do things like browse a web page, initiate a database connection from a webserver the more things you do and watch the more you will be able to spot anomalous traffic. These are just meant as things to think about, I will write up some posts documenting the installation of the collectors, storage and analysis systems using open source tools or you can jump ahead and do it yourself and start playing.

About the author

Karl Tatgenhorst wrote 31 articles on this blog.

Previous post:

Next post: