One of the cool things about my position as a Solution Engineer, is that I often work with customers who show me NetFlow configuration options on vendor devices that I didn’t know support NetFlow as a monitoring protocol.

Today I am going to take a look at the NetFlow option offered on the Sophos Cyberoam network security appliance, and how security forensics using NetFlow adds to the overall enterprise threat defense solution.

Sophos Cyberoam is a unified threat management appliance that provides protection against a variety of threats such as unauthorized access, network attacks, malicious code, blended threats, content-based attacks, spyware and phishing. Administrators also gain secure remote access, redundant WAN connectivity and availability, data leakage protection and advanced networking features.

Cyberoam offers advanced network security features to deliver business continuity, faster uptimes, higher network throughput, rapid network growth, meeting the security and regulatory compliance requirements through the following capabilities:

• High Availability with stateful failover
• Dynamic routing
• Multiple VLAN zones to create work-profile based groups across distributed locations
• Virtual host capability, enabling secure hosting of services inside the LAN and DMZ

Because running multiple security processes across multiple locations can be costly and resource-intensive, the centralized, multi-layered approach offered by Sophos Cyberoam is a welcome solution for small businesses as well as the distributed enterprise.

Take advantage of these Security Forensics using NetFlow

NetFlow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion (if any).

In today’s networks, using NetFlow for network security and incident response by monitoring communication behaviors is becoming more prevalent. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can recognize enough odd behaviors to protect against cyber attacks. Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great additional security layer to your network intrusion prevention solution.

Let’s take a look at the NetFlow configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant features.

Step 1: Configure NetFlow Collectors

Go to Logs & Reports > Configuration > Netflow and specify Collector Name, IP/Domain and Port, as shown below.

The default port for NetFlow Collector is 2055.

Click Apply to add collectors.

Step 2: Enable Traffic Logging from Firewall Rule

Go to Firewall > Rule > Rule and click the required Rule. Enable Log Firewall Traffic and click OK.

Currently the Cyberoam NetFlow export is version 5 only, and includes field elements that offer all of the traditional TopN (applications, talkers, and conversations) type of reporting. We have seen many of the next generation firewall vendors export unique vendor flow elements in their flow templates. Hopefully future plans include taking full advantage of the NetFlow/IPFIX protocol to export more of the network intrusion prevention data in their flow exports.

Is this the type of network visibility that you would like to take advantage of? Let us show you how you can leverage NetFlow to detect advanced persistent threats and provide a total security solution.

For a free 30 day trial of Scrutinizer, Download Now!

The post Cyberoam NetFlow Configuration appeared first on NetFlowKnights.com.

Cisco ASR 9000 Configuration Guide

One of the best parts about working in Tech Support for a company that analyzes NetFlow, is that I get the opportunity to work with a wide variety of vendors and models. Today most vendors are supporting at least one form of NetFlow. Whether that’s version 5, version 9 or IPFIX. No matter what version of NetFlow, we’re awarded the ability to capture and analyze the traffic on our network in almost real-time. Today I wanted to take a look at the founders of the NetFlow protocol, Cisco, and their Cisco ASR 9000 configuration.

Cisco ASR 9k

One important thing to note about the ASR9k, is it supports sampled NetFlow. There’s a bit of controversy surrounding sampled NetFlow however. Some people prefer it because it alleviates the possible performance penalty incurred by enabling NetFlow exports. Others would prefer getting a more complete picture of their network traffic. Mainly this will depend on the traffic volume of your network. It is important to note though, that sample NetFlow will substantially decrease the CPU utilization needed to account for NetFlow packets. That being said, let’s dig into getting your Cisco ASR 9000 configured!

First things first, we’ll need to telnet into our Cisco ASR 9000. The basic configuration for NetFlow will consist of:

A Flow Monitor Map

An Exporter Map

A Sampler Map

The steps we’ll want to take are:

1. Create and configure an exporter map
2. Create and configure a monitor map and a sampler map
3. Apply the monitor map and sampler map to an interface

Exporter Map

RP/0/RSP0/CPU0:router configure

RP/0/RSP0/CPU0:router(config)# flow exporter-map exporter

// Name your exporter map (exporter as an example)

RP/0/RSP0/CPU0:router(config-fem)# destination nnn.nnn.nnn.nnn

// Configure the destination IP of your analyzer

RP/0/RSP0/CPU0:router(config-fem)# dscp 55 (Optional)

RP/0/RSP0/CPU0:router(config-fem)# source gigabitEthernet 0/0/0/0

// Configure the interface your flows wil be sourced from

RP/0/RSP0/CPU0:router(config-fem)# transport udp 2055

// Configure your transport port

RP/0/RSP0/CPU0:router(config-fem-ver)# version v9

// Specify your version of NetFlow

RP/0/RSP0/CPU0:router(config-fem-ver)# options sampler-table timeout 2000

RP/0/RSP0/CPU0:router(config-fem-ver)# template data timeout 10000

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

RP/0/RSP0/CPU0:router(config-fem-ver)# exit

RP/0/RSP0/CPU0:router(config)# exit

RP/0/RSP0/CPU0:router# show flow exporter-map Exporter

Sampler Map

RP/0/RSP0/CPU0:router configure

RP/0/RSP0/CPU0:router(config)# sampler-map Sampler

// Name your sampler map (Sampler for example)

RP/0/RSP0/CPU0:router(config-sm)#

RP/0/RSP0/CPU0:router(config-sm)# random 1 out-of 1

// Configure your sampling interval (range from 1-65535)

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

RP/0/RSP0/CPU0:router(config-sm)# exit

RP/0/RSP0/CPU0:router(config)# exit

RP/0/RSP0/CPU0:router# show sampler-map Sampler

Monitor Map

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# flow monitor-map Monitor

// Name your monitor map (Monitor for example)

RP/0/RSP0/CPU0:router(config-fmm)#

RP/0/RSP0/CPU0:router(config-fmm)# record ipv4

// Configure the flow record map name for IPv4, IPv6 or MPLS

// Use one of the following

// record ipv4

// record ipv4 [peer as]

// record ipv6

// record mpls [labels number]

// record mpls [ipv4-fields] [labels number]

// record mpls [ipv6-fields] [labels number]

// record mpls [ipv4-ipv6-fields] [labels number]

RP/0/RSP0/CPU0:router(config-fmm)# cache entries 10000  (optional)

// Configure the number of entries in the flow cache

RP/0/RSP0/CPU0:router(config-fmm)# flow monitor-map Monitor cache permanent (optional)

// Disables removal of entries from the flow cache

RP/0/RSP0/CPU0:router(config-fmm)# cache timeout inactive 15

// cache timeout {active timeout_value | inactive timeout_value | update timeout_value}

// default active timeout = 1800 seconds

// default inactive timeout = 15 seconds

// default update timeout = 1800 seconds

RP/0/RSP0/CPU0:router(config-fmm)# exporter Exporter

// Associates an exporter map with a monitor map

// A single flow monitor can support up to eight exporters

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

RP/0/RSP0/CPU0:router(config-fmm)# exit

RP/0/RSP0/CPU0:router(config)# exit

RP/0/RSP0/CPU0:router# show flow monitor-map Monitor

Apply Monitor Map and Sampler Map to an interface

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# interface gigabitEthernet 0/0/0/0

// Enter interface configuration mode

RP/0/RSP0/CPU0:router(config-if)#

RP/0/RSP0/CPU0:router(config-if)# flow ipv4 monitor Monitor sampler Sampler ingress/egress

// Associates a Monitor Map and a Sampler Map with an interface

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

Congratulations! We’re now fully configured to export version 9 NetFlow to our traffic analyzer. We can now hop over to our preferred collector and analyze all of our network traffic with your favorite NetFlow Analysis Tool! For more information about your Cisco ASR 9000 visit Cisco’s site and review their documentation here.

Do you have a NetFlow capable device that we haven’t covered? Please let us know and we’ll add a configuration guide!

Jeff Morrison

For a free 30 day trial of Scrutinizer, Download Now!

The post Cisco ASR 9000 Configuration NetFlow Guide appeared first on NetFlowKnights.com.

One of the things that I really like about my position as a Technical Support Representative is that I often work with customers who show me NetFlow configurations on vendor devices that I didn’t know support NetFlow as a monitoring protocol. Plixer’s NetFlow collector has seen it all and helping other vendors without a doubt keeps us on our toes. Last week I had the opportunity to work with a customer who wanted to get more visibility out of his Viavi Observer GigaStor deployment.

What is Viavi Observer GigaStor?

The Viavi Observer Platform is a full-service solution for retrospective network analysis. You can literally hit rewind to go “back in time” and review past network activity. This solution can  take you to the exact moment a problem  occurred and display the detailed packet-level views before, during, and after an incident.

Being an integral part of the Observer Platform, the GigaStor probe plays a key role in creating IT management solutions for complex transaction-heavy environments. It works well in tandem with Observer Apex™, Observer Analyzer, and Observer SightOps™, as well as third-party solutions.

As a matter of fact, the Viavi Observer platform virtually eliminates all analysis traffic from the network. This results in a 97% reduction in overhead and bandwidth, as well as an increase in scalability. Users also  get the ability to add more visibility points without impacting network traffic or the ability to process from a single console.

With that said, Viavi Observer GigaStor probe is  a great solution for troubleshooting, security, and compliance. Among the benefits that the solution offers are

• Post-event packet storage to more than a petabyte
• High-speed data captures on fully saturated links for complete data collection
• Exclusive Gen2™ packet-capture technology
• Exportation of captures to security devices, compliance tools, and other network analyzers
• Tracking of bandwidth utilization, network Top Talkers, application metrics and even VoIP quality statistics.

How do you configure NetFlow?

Using the NetFlow Agent, the Viavi Observer GigaStor probe has the ability to publish any NetFlow flows generated by its network adapter. The probe generates the flows adhering to the Cisco NetFlow v9 standards and sends them to a NetFlow collector for further analysis.

Here’s how you can set up Viavi Observer GigaStor NetFlow configuration:

1. Select Capture > GigaStor Control Panel. To open the GigaStor Settings dialog, click the Settings button.
2. Navigate to the NetFlow Agent tab and choose the Enable NetFlow Agent option.
3. Then click Add and enter the IP address of the system with your NetFlow collector in the Destinations section. Port 9996 is used for NetFlow by default.
4. Next you can enable the various data outputs and select how frequently you want the template published (the fixed collection interval is 15 seconds). The GigaStor deployment is now configured to publish NetFlow records to your NetFlow collector.
5. Finally, if you’d like to view the NetFlow records in the GigaStor Control Panel, navigate to File > Load and Analyze Observer Capture Buffer. Then find the buffer file you want and open it. As it opens to the Decode and Analysis tab, select the Decode tab and search the buffer for the records that you might be interested in.

The picture below shows how Observer displays captured NetFlow records and what the NetFlow templates format is for that record:

Now that the  Gigastor is sending flows, our NetFlow collector, Scrutinizer will automatically pick up on the data and start reporting on it. You can also design you own report templates with Scrutinizer’s report designer. If you’d like to learn  more about the Viavi Observer GigaStor NetFlow reporting or need any help setting it up please give us a call.

For a free 30 day trial of Scrutinizer, Download Now!

The post Viavi Observer GigaStor NetFlow Support appeared first on NetFlowKnights.com.

Today I want to take a look at the Gigamon appliance and their IPFIX configuration. Recently I was asked a rather interesting question. An avid user of Scrutinizer had a very specific element he wanted to collect and monitor. He wanted to trend what SSL version his internal servers are currently running, as well as the most common version his users come across in the wild. Now, immediately my mind goes to decryption or deep packet inspection. I know that with a bit of work we could accomplish this using our FlowPro that already does DPI. But wait, there’s a simpler way? That’s right, among other elements Gigamon is exporting SSL info in their IPFIX exports! That’s very exciting.

Now, I’ve never had any hands on time configuring or playing with a Gigamon appliance. I will say, there is a bit of difference in the configuration if you’re mainly used to enabling NetFlow on a Cisco device. Let’s take a look at how to turn NetFlow on and start reporting on some of these awesome exports!

Now when configuring IPFIX on a Gigamon appliance there are a few extra steps we’ll need to take. First we’ll want to setup a GigaSMART group. Here we’re going to be creating a group to assign parameters to. For example I created my GigaSMART Group for NetFlow and De-duplication. With de-duplication you can set parameter such as counting the de-dupes versus dropping them. Which elements are included in de-duping, for instance should I look at the headers and include the TCP class, ToS, the TCP sequence. In your GigaSMART Group you can also set your flow sampling rate. Now, I do recommend using 1:1 for the best reliability and most complete picture. Another interesting segment is the ability to do SSL decryption. As awesome as that would be, we’ll have to visit this topic later as we’ll need to have our SSL key installed on the appliance.

Next we’ll want to create a tunnel port. Now this leads to one of those differences I mentioned. Gigamon does something different with their ports than traditional switch ports. Traditionally a switch port will receive and transmit. Gigamon has decided to modify this default behavior and have set roles per port. For example, a network port will only receive traffic and a tool port will only transmit data. Now our tunnel port we’re creating is going to be our tool port which will transmit our IPFIX data to a NetFlow collector. First we’ll choose the port we want to transmit from, then we can assign an IP address to the tunnel port. This will be our source IP for IPFIX traffic. Next we’ll assign a subnet mask and a default gateway. Now this leads to another interesting fact on the Gigamon setup, the default gateway we’re assigning here needs to be the IP of our NetFlow collector. Having them on the same subnet also makes life a little easier. I set the maximum transmission unit (MTU) to 1500. Then finally we’ll assign this to the GigaSMART Group we just setup.

Once the tool port is configured, you’ll also need to span some traffic to the appliance from a nearby switch. For this port we’ll want to configure it as a network port as it will only listen for traffic.

Now that we have our two ports setup, one to listen and one to transmit, we’ll need to setup our GigaSMART Operations. The GSOP gives us the ability to do some more very cool things like tunnel encapsulation and decapsulation. For this blog though, we’re just going to assign Netflow and Deduplication for our GSOP.

Excellent, so now we have our GigaSMART Group, our ports are configured and we’ve defined our GSOP. Now we can start to define our NetFlow record, exporter and monitor!

Under NetFlow/IPFIX Generation we’ll want to start with our record. This should be something most of us are familiar with, we’ll want to set our match and collect statements here. We can have up to 5 records tied to each monitor, so this gives us a little flexibility. However, in order to use multiple records with the same monitor they’ll need to contain the same key fields. Now in my testing, I have everything I need in IPFIX exports coming from 1 record. In this record I’m receiving my traditional NetFlow (i.e my source/destination IPs, source/destination transport ports) but I’m also exporting all of the SSL information including the issuer’s common name, ssl version, key size, full URL strings. There are a lot of options available for us.

Once I have my record defined, we’ll want to go ahead and configure our exporter. The exporter is pretty straight forward, we’ll want to give it an alias, specify the version of flow exports (in this case IPFIX), specifiy the template refresh ineterval (I have mine set to 60), assigning our tunnel port configured earlier and finally the transport configuration. The transport configuration is where we’ll want to specify the destination IP, the destination port, transport protocol, etc. Now in my example I’m using port 2002 as I’m sending the flow data to a UDP replicator before our NetFlow collector. If you’re sending straight to a collector you’ll want to use one of the pre-defined listening ports such as 2055,2056,9995,9996, etc.

Finally, we’ll want to configure our monitor. This is where we’ll specify our timeout rates and tie in our record. I recommend setting the active timeout to 60 as we’ll want to be receiving 1-minute updates even if the conversation is still alive. Here I have my inactive timeout set to 15, and again our sampling rate I have specified as 0 since I don’t want to perform any sampling. Lastly assign your flow record, we can use up to 5 records per monitor, but in this example I’ll just be using one.

Ok, just a few more steps before we can start analyzing all this new traffic! Next we’re going to create a map, which will tie our network interface and our tunnel interface together. Of course we’ll want to give our map an alias and a nice description of where traffic is coming in and which interface it’s leaving, as it’s good practice. Next we’ll want to specifiy our source port, this will be our network port where we’re receiving traffic. Then our destination port, which is the tool port we’re going to be exporting across. Then we’ll tie our GSOP to the map. Finally we’ll want to create a map rule, I defined my map rule by MAC address, and specified any MAC as the source and any MAC as the destination to allow the traffic through.

And finally our final step is going to be associating our monitor to our GigaSMART Group. If we get into editing our GigaSMART Group, about a thid of the way down is the NetFlow parameter, this is where we’ll associate the monitor we just created.

Now that our configuration is complete we can verify our setting via the CLI. We’ll want to SSH in using the admin user and these following commands will confirm our configuration:

sh tunneled-port stats all

-Here we can verify our tunnel port is configured correctly and ARP is resolving

Not that since this is a tunnel port, we’re only using this to transmit data therefor any traffic sent to this port is dropped.

sh apps netflow exporter stats all

-Verify that new records are being added and packets are being sent to our collector

sh apps netflow monitor stats all

-Verify flows are being added and that our sampling rate is 1:1

sh port params

-Verify our port roles are set correctly

sh port in-use

-Verify our configured ports are up

Congratulations! Now you have some awesome IPFIX data coming from your Gigamon appliance! Last, but not least, we’ll want to use our favorite NetFlow Collector to analyze this traffic.

For more information on Gigamon’s IPFIX exports take a look at their documentation here.

For more information about configuring NetFlow and Sflow feel free to browse our many blogs here.

Jeff Morrison

For a free 30 day trial of Scrutinizer, Download Now!

The post Gigamon IPFIX Configuration appeared first on NetFlowKnights.com.

Juniper MX5 NetFlow Configuration

Recently while looking at my router’s NetFlow reporting, I came across an issue regarding the Juniper MX5 router’s NetFlow configuration. I had a customer recently with two Juniper MX5 routers; both running the same configuration, but one had newer firmware, Junos version 14.2R2.8. We found was both devices were actively exporting flows to the analyzer, but only one device was able to pull reports. When we tried running a report in our IPFIX and NetFlow Analyzer we were prompted with the ‘Select Template’ message, even though we had already received option templates and they were readily available. Juniper’s site offers additional details about configuring for your Juniper router.

Investigating Further:

When trouble shooting flow data, I start by taking a packet capture in order to provide additional contextual details as to what might be going on. Using a tool like Wireshark, I can collect each packet, allowing me to perform a Deep Packet Inspection (DPI). DPI not only gives me access to the elements being exported to my IPFIX and NetFlow Analyzer, but also will show me the non key fields not being exported as flow data. After taking a packet capture and investigating the situation, I found that both devices were exporting flows as well as option templates. The router with newer firmware, however, was exporting an additional element: flow direction. Normally, exporting direction details won’t cause an issue, but the packet capture showed the field as being exported as ‘Direction: Unknown (255)’. As you can see in the image below, we are exporting the expected fields such as source/destination IP, port, protocol, inbound interface, source port, destination port and octetDelta count. You’ll also see another element, ‘Direction’. This element is not exported from the other on-site MX5 running the older firmware.

Now that I knew where the issue layed, I was able to go back into our IPFIX and NetFlow Analyzer and look at a Flow View report to verify the flow direction element was the true problem. Right away I confirmed what we saw in the packet capture. In the image below you’ll see the flowDirection element reporting as NIT, or Not In Template:

The Workaround:

To report on the flows being received from this device we have to ignore this field. This is a temporary fix, however,  and the better long-term solution would be to convert this field into the default value.

According to RFC5102 the default values for the element flowDirection will be 0x00: ingress flow and 0x01: egress flow. If a value other than 0x00 or 0x01 is exported, we should replace it with the default ingress value of 0x00. Applying this change makes the flow reports available in our IPFIX and NetFlow Analyzer again. Once this workaround has been applied, you can verify the change has been committed by running a ‘Flow View’ report which will give us an output like this:

You’ll notice the element ‘flowDirection’ is now converted to ingress, allowing us to report on this device’s exports accurately.

If you have any questions regarding your Juniper Device configuration, don’t hesitate to reach out to us in Tech Support.

The post Juniper MX NetFlow Configuration appeared first on Plixer.com.

One of the cool things about my position as a Solution Engineer, is that I often work with customers who show me NetFlow configuration options on vendor devices that I didn’t know support NetFlow as a monitoring protocol.

Today I am going to take a look at the NetFlow option offered on the Sophos Cyberoam network security appliance, and how security forensics using NetFlow adds to the overall enterprise threat defense solution.

Sophos Cyberoam is a unified threat management appliance that provides protection against a variety of threats such as unauthorized access, network attacks, malicious code, blended threats, content-based attacks, spyware and phishing. Administrators also gain secure remote access, redundant WAN connectivity and availability, data leakage protection and advanced networking features.

Cyberoam offers advanced network security features to deliver business continuity, faster uptimes, higher network throughput, rapid network growth, meeting the security and regulatory compliance requirements through the following capabilities:

• High Availability with stateful failover
• Dynamic routing
• Multiple VLAN zones to create work-profile based groups across distributed locations
• Virtual host capability, enabling secure hosting of services inside the LAN and DMZ

Because running multiple security processes across multiple locations can be costly and resource-intensive, the centralized, multi-layered approach offered by Sophos Cyberoam is a welcome solution for small businesses as well as the distributed enterprise.

Take advantage of these Security Forensics using NetFlow

NetFlow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion (if any).

In today’s networks, using NetFlow for network security and incident response by monitoring communication behaviors is becoming more prevalent. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can recognize enough odd behaviors to protect against cyber attacks. Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great additional security layer to your network intrusion prevention solution.

Let’s take a look at the NetFlow configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant features.

Step 1: Configure NetFlow Collectors

Go to Logs & Reports > Configuration > Netflow and specify Collector Name, IP/Domain and Port, as shown below.

The default port for NetFlow Collector is 2055.

Click Apply to add collectors.

Step 2: Enable Traffic Logging from Firewall Rule

Go to Firewall > Rule > Rule and click the required Rule. Enable Log Firewall Traffic and click OK.

Currently the Cyberoam NetFlow export is version 5 only, and includes field elements that offer all of the traditional TopN (applications, talkers, and conversations) type of reporting. We have seen many of the next generation firewall vendors export unique vendor flow elements in their flow templates. Hopefully future plans include taking full advantage of the NetFlow/IPFIX protocol to export more of the network intrusion prevention data in their flow exports.

Is this the type of network visibility that you would like to take advantage of? Let us show you how you can leverage NetFlow to detect advanced persistent threats and provide a total security solution.

The post Cyberoam NetFlow Configuration appeared first on Plixer.com.

One of the best parts about working in Tech Support for a company that analyzes NetFlow, is that I get the opportunity to work with a wide variety of vendors and models. Today most vendors are supporting at least one form of NetFlow. Whether that’s version 5, version 9 or IPFIX. No matter what version of NetFlow, we’re awarded the ability to capture and analyze the traffic on our network in almost real-time. Today I wanted to take a look at the founders of the NetFlow protocol, Cisco, and their Cisco ASR 9000 configuration.

One important thing to note about the ASR9k, is it supports sampled NetFlow. There’s a bit of controversy surrounding sampled NetFlow however. Some people prefer it because it alleviates the possible performance penalty incurred by enabling NetFlow exports. Others would prefer getting a more complete picture of their network traffic. Mainly this will depend on the traffic volume of your network. It is important to note though, that sample NetFlow will substantially decrease the CPU utilization needed to account for NetFlow packets. That being said, let’s dig into getting your Cisco ASR 9000 configured!

First things first, we’ll need to telnet into our Cisco ASR 9000. The basic configuration for NetFlow will consist of:

A Flow Monitor Map

An Exporter Map

A Sampler Map

The steps we’ll want to take are:

1. Create and configure an exporter map
2. Create and configure a monitor map and a sampler map
3. Apply the monitor map and sampler map to an interface

Exporter Map

RP/0/RSP0/CPU0:router configure

RP/0/RSP0/CPU0:router(config)# flow exporter-map exporter

// Name your exporter map (exporter as an example)

RP/0/RSP0/CPU0:router(config-fem)# destination nnn.nnn.nnn.nnn

// Configure the destination IP of your analyzer

RP/0/RSP0/CPU0:router(config-fem)# dscp 55 (Optional)

RP/0/RSP0/CPU0:router(config-fem)# source gigabitEthernet 0/0/0/0

// Configure the interface your flows wil be sourced from

RP/0/RSP0/CPU0:router(config-fem)# transport udp 2055

// Configure your transport port

RP/0/RSP0/CPU0:router(config-fem-ver)# version v9

// Specify your version of NetFlow

RP/0/RSP0/CPU0:router(config-fem-ver)# options sampler-table timeout 2000

RP/0/RSP0/CPU0:router(config-fem-ver)# template data timeout 10000

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

RP/0/RSP0/CPU0:router(config-fem-ver)# exit

RP/0/RSP0/CPU0:router(config)# exit

RP/0/RSP0/CPU0:router# show flow exporter-map Exporter

Sampler Map

RP/0/RSP0/CPU0:router configure

RP/0/RSP0/CPU0:router(config)# sampler-map Sampler

// Name your sampler map (Sampler for example)

RP/0/RSP0/CPU0:router(config-sm)#

RP/0/RSP0/CPU0:router(config-sm)# random 1 out-of 1

// Configure your sampling interval (range from 1-65535)

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

RP/0/RSP0/CPU0:router(config-sm)# exit

RP/0/RSP0/CPU0:router(config)# exit

RP/0/RSP0/CPU0:router# show sampler-map Sampler

Monitor Map

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# flow monitor-map Monitor

// Name your monitor map (Monitor for example)

RP/0/RSP0/CPU0:router(config-fmm)#

RP/0/RSP0/CPU0:router(config-fmm)# record ipv4

// Configure the flow record map name for IPv4, IPv6 or MPLS

// Use one of the following

// record ipv4

// record ipv4 [peer as]

// record ipv6

// record mpls [labels number]

// record mpls [ipv4-fields] [labels number]

// record mpls [ipv6-fields] [labels number]

// record mpls [ipv4-ipv6-fields] [labels number]

RP/0/RSP0/CPU0:router(config-fmm)# cache entries 10000  (optional)

// Configure the number of entries in the flow cache

RP/0/RSP0/CPU0:router(config-fmm)# flow monitor-map Monitor cache permanent (optional)

// Disables removal of entries from the flow cache

RP/0/RSP0/CPU0:router(config-fmm)# cache timeout inactive 15

// cache timeout {active timeout_value | inactive timeout_value | update timeout_value}

// default active timeout = 1800 seconds

// default inactive timeout = 15 seconds

// default update timeout = 1800 seconds

RP/0/RSP0/CPU0:router(config-fmm)# exporter Exporter

// Associates an exporter map with a monitor map

// A single flow monitor can support up to eight exporters

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

RP/0/RSP0/CPU0:router(config-fmm)# exit

RP/0/RSP0/CPU0:router(config)# exit

RP/0/RSP0/CPU0:router# show flow monitor-map Monitor

Apply Monitor Map and Sampler Map to an interface

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# interface gigabitEthernet 0/0/0/0

// Enter interface configuration mode

RP/0/RSP0/CPU0:router(config-if)#

RP/0/RSP0/CPU0:router(config-if)# flow ipv4 monitor Monitor sampler Sampler ingress/egress

// Associates a Monitor Map and a Sampler Map with an interface

RP/0/RSP0/CPU0:router(config)# end

or

RP/0/RSP0/CPU0:router(config)# commit

Congratulations! We’re now fully configured to export version 9 NetFlow to our traffic analyzer. We can now hop over to our preferred collector and analyze all of our network traffic with your favorite NetFlow Analysis Tool! For more information about your Cisco ASR 9000 visit Cisco’s site and review their documentation here.

Do you have a NetFlow capable device that we haven’t covered? Please let us know and we’ll add a configuration guide!

The post Cisco ASR 9000 Configuration NetFlow Guide appeared first on Plixer.com.

One of the things that I really like about my position as a Technical Support Representative is that I often work with customers who show me NetFlow configurations on vendor devices that I didn’t know support NetFlow as a monitoring protocol. Plixer’s NetFlow collector has seen it all and helping other vendors without a doubt keeps us on our toes. Last week I had the opportunity to work with a customer who wanted to get more visibility out of his Viavi Observer GigaStor deployment.

What is Viavi Observer GigaStor?

The Viavi Observer Platform is a full-service solution for retrospective network analysis. You can literally hit rewind to go “back in time” and review past network activity. This solution can  take you to the exact moment a problem  occurred and display the detailed packet-level views before, during, and after an incident.

Being an integral part of the Observer Platform, the GigaStor probe plays a key role in creating IT management solutions for complex transaction-heavy environments. It works well in tandem with Observer Apex, Observer Analyzer, and Observer SightOps, as well as third-party solutions.

As a matter of fact, the Viavi Observer platform virtually eliminates all analysis traffic from the network. This results in a 97% reduction in overhead and bandwidth, as well as an increase in scalability. Users also  get the ability to add more visibility points without impacting network traffic or the ability to process from a single console.

With that said, Viavi Observer GigaStor probe is  a great solution for troubleshooting, security, and compliance. Among the benefits that the solution offers are

• Post-event packet storage to more than a petabyte
• High-speed data captures on fully saturated links for complete data collection
• Exclusive Gen2 packet-capture technology
• Exportation of captures to security devices, compliance tools, and other network analyzers
• Tracking of bandwidth utilization, network Top Talkers, application metrics and even VoIP quality statistics.

How do you configure NetFlow?

Using the NetFlow Agent, the Viavi Observer GigaStor probe has the ability to publish any NetFlow flows generated by its network adapter. The probe generates the flows adhering to the Cisco NetFlow v9 standards and sends them to a NetFlow collector for further analysis.

Here’s how you can set up Viavi Observer GigaStor NetFlow configuration:

1. Select Capture > GigaStor Control Panel. To open the GigaStor Settings dialog, click the Settings button.
2. Navigate to the NetFlow Agent tab and choose the Enable NetFlow Agent option.
3. Then click Add and enter the IP address of the system with your NetFlow collector in the Destinations section. Port 9996 is used for NetFlow by default.
4. Next you can enable the various data outputs and select how frequently you want the template published (the fixed collection interval is 15 seconds). The GigaStor deployment is now configured to publish NetFlow records to your NetFlow collector.
5. Finally, if you’d like to view the NetFlow records in the GigaStor Control Panel, navigate to File > Load and Analyze Observer Capture Buffer. Then find the buffer file you want and open it. As it opens to the Decode and Analysis tab, select the Decode tab and search the buffer for the records that you might be interested in.

The picture below shows how Observer displays captured NetFlow records and what the NetFlow templates format is for that record:

Now that the  Gigastor is sending flows, our NetFlow collector, Scrutinizer will automatically pick up on the data and start reporting on it. You can also design you own report templates with Scrutinizer’s report designer. If you’d like to learn  more about the Viavi Observer GigaStor NetFlow reporting or need any help setting it up please give us a call.

The post Viavi Observer GigaStor NetFlow Support appeared first on Plixer.com.

Today I want to take a look at the Gigamon appliance and their IPFIX configuration. Recently I was asked a rather interesting question. An avid user of Scrutinizer had a very specific element he wanted to collect and monitor. He wanted to trend what SSL version his internal servers are currently running, as well as the most common version his users come across in the wild. Now, immediately my mind goes to decryption or deep packet inspection. I know that with a bit of work we could accomplish this using our FlowPro that already does DPI. But wait, there’s a simpler way? That’s right, among other elements Gigamon is exporting SSL info in their IPFIX exports! That’s very exciting.

Now, I’ve never had any hands on time configuring or playing with a Gigamon appliance. I will say, there is a bit of difference in the configuration if you’re mainly used to enabling NetFlow on a Cisco device. Let’s take a look at how to turn NetFlow on and start reporting on some of these awesome exports!

Before diving into our IPFIX configuration, there are two items I have to note. In order to generate the metadata required for IPFIX exports you would need to acquire a GigaSMART blade for the modular node HC2, HD4 and HD8. For HB1, GigaSMART is already in the unit. In addition to the correct hardware you will also need to acquire the metadata license. For generating IPFIX you will need the netflow/metadata license.

Now when configuring IPFIX on a Gigamon appliance there are a few extra steps we’ll need to take. First we’ll want to setup a GigaSMART group. Here we’re going to be creating a group to assign parameters to. For example I created my GigaSMART Group for NetFlow and De-duplication. With de-duplication you can set parameter such as counting the de-dupes versus dropping them. Which elements are included in de-duping, for instance should I look at the headers and include the TCP class, ToS, the TCP sequence. In your GigaSMART Group you can also set your flow sampling rate. Now, I do recommend using 1:1 for the best reliability and most complete picture. Another interesting segment is the ability to do SSL decryption. As awesome as that would be, we’ll have to visit this topic later as we’ll need to have our SSL key installed on the appliance.

Next we’ll want to create a tunnel port. Now this leads to one of those differences I mentioned. Gigamon does something different with their ports than traditional switch ports. Traditionally a switch port will receive and transmit. Gigamon has decided to modify this default behavior and have set roles per port. For example, a network port will only receive traffic and a tool port will only transmit data. Now our tunnel port we’re creating is going to be our tool port which will transmit our IPFIX data to a NetFlow collector. First we’ll choose the port we want to transmit from, then we can assign an IP address to the tunnel port. This will be our source IP for IPFIX traffic. Next we’ll assign a subnet mask and a default gateway. Now this leads to another interesting fact on the Gigamon setup, the default gateway we’re assigning here needs to be the IP of our NetFlow collector. Having them on the same subnet also makes life a little easier. I set the maximum transmission unit (MTU) to 1500. Then finally we’ll assign this to the GigaSMART Group we just setup.

Once the tool port is configured, you’ll also need to span some traffic to the appliance from a nearby switch. For this port we’ll want to configure it as a network port as it will only listen for traffic.

Now that we have our two ports setup, one to listen and one to transmit, we’ll need to setup our GigaSMART Operations. The GSOP gives us the ability to do some more very cool things like tunnel encapsulation and decapsulation. For this blog though, we’re just going to assign Netflow and Deduplication for our GSOP.

Excellent, so now we have our GigaSMART Group, our ports are configured and we’ve defined our GSOP. Now we can start to define our NetFlow record, exporter and monitor!

Under NetFlow/IPFIX Generation we’ll want to start with our record. This should be something most of us are familiar with, we’ll want to set our match and collect statements here. We can have up to 5 records tied to each monitor, so this gives us a little flexibility. However, in order to use multiple records with the same monitor they’ll need to contain the same key fields. Now in my testing, I have everything I need in IPFIX exports coming from 1 record. In this record I’m receiving my traditional NetFlow (i.e my source/destination IPs, source/destination transport ports) but I’m also exporting all of the SSL information including the issuer’s common name, ssl version, key size, full URL strings. There are a lot of options available for us.

Once I have my record defined, we’ll want to go ahead and configure our exporter. The exporter is pretty straight forward, we’ll want to give it an alias, specify the version of flow exports (in this case IPFIX), specifiy the template refresh ineterval (I have mine set to 60), assigning our tunnel port configured earlier and finally the transport configuration. The transport configuration is where we’ll want to specify the destination IP, the destination port, transport protocol, etc. Now in my example I’m using port 2002 as I’m sending the flow data to a UDP replicator before our NetFlow collector. If you’re sending straight to a collector you’ll want to use one of the pre-defined listening ports such as 2055,2056,9995,9996, etc.

Finally, we’ll want to configure our monitor. This is where we’ll specify our timeout rates and tie in our record. I recommend setting the active timeout to 60 as we’ll want to be receiving 1-minute updates even if the conversation is still alive. Here I have my inactive timeout set to 15, and again our sampling rate I have specified as 0 since I don’t want to perform any sampling. Lastly assign your flow record, we can use up to 5 records per monitor, but in this example I’ll just be using one.

Ok, just a few more steps before we can start analyzing all this new traffic! Next we’re going to create a map, which will tie our network interface and our tunnel interface together. Of course we’ll want to give our map an alias and a nice description of where traffic is coming in and which interface it’s leaving, as it’s good practice. Next we’ll want to specifiy our source port, this will be our network port where we’re receiving traffic. Then our destination port, which is the tool port we’re going to be exporting across. Then we’ll tie our GSOP to the map. Finally we’ll want to create a map rule, I defined my map rule by MAC address, and specified any MAC as the source and any MAC as the destination to allow the traffic through.

And finally our final step is going to be associating our monitor to our GigaSMART Group. If we get into editing our GigaSMART Group, about a thid of the way down is the NetFlow parameter, this is where we’ll associate the monitor we just created.

Now that our configuration is complete we can verify our setting via the CLI. We’ll want to SSH in using the admin user and these following commands will confirm our configuration:

sh tunneled-port stats all

-Here we can verify our tunnel port is configured correctly and ARP is resolving

Not that since this is a tunnel port, we’re only using this to transmit data therefor any traffic sent to this port is dropped.

sh apps netflow exporter stats all

-Verify that new records are being added and packets are being sent to our collector

sh apps netflow monitor stats all

-Verify flows are being added and that our sampling rate is 1:1

sh port params

-Verify our port roles are set correctly

sh port in-use

-Verify our configured ports are up

Congratulations! Now you have some awesome IPFIX data coming from your Gigamon appliance! Last, but not least, we’ll want to use our favorite NetFlow Collector to analyze this traffic.

For more information on Gigamon’s IPFIX exports take a look at their documentation here.

For more information about configuring NetFlow and Sflow feel free to browse our many blogs here.

The post Gigamon IPFIX Configuration appeared first on Plixer.com.