Solved: Catalyst Script to Extract Flow Data

pandreozzi · ‎09-13-2021

My question is around extracting flow data from some legacy Cisco 3750 and 3550 switches with layer 3 images.

Netflow is not supported on these devices and I don't think you can create an event option that triggers logging to send this data to a syslog server.

So my question is this.

Can a script be created that runs in the background that will collect this info and forward to a syslog server remotely configured.

All responses are greatly appreciated.

Paul

Seb Rupik · ‎09-16-2021

!
logging buffered debug
logging buffered 16000
!

... don't run it for long at that log level

As for your solution, agreed you are going get some useful info out of it, but these hits are all stateless, you will need some pivot-table-fu to aggregate them back into flows. Even then, you will be missing useful datapoints such as packet sizes and therefore total data transferred.

cheers,

Seb.

View solution in original post

balaji.bandi · ‎09-13-2021

Hope you mean netflow, that does not support ( as you mentioned) it only support flex netflow -X models

even you do some scripting, what is the end goal you get information what you looking ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pandreozzi · ‎09-13-2021

The goal is to see flows as these devices are acting as routers with layer 3 images running OSPF. I need to send these flows to a syslog collector to analyze the data for threats.

balaji.bandi · ‎09-13-2021

I can only think of SPAN port to Monitor all traffic.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pandreozzi · ‎09-13-2021

Thanks Balaji. all this feedback is allowing me to tell the vendor that their expectations of legacy devices is unreasonable but the company that I support bought this solution from this vendor and now comes the finger pointing.

balaji.bandi · ‎09-13-2021

When the feature you looking not supported by the device, how one can do their job which is the Limitation of depliver.

You cna Do RSPAN if that work from different devices.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pandreozzi · ‎09-13-2021

Thanks Balaji. I agree but back when these devices were manufactured considerations on cyber related issues did not exist like they do today.

RSPAN is another good options and I appreciate all this input.

balaji.bandi · ‎09-13-2021

If you Looking to address Cyber Space issue. You need to tell the business to address the issue and upgrade to kit to latest.

Or get FW put these devices behind NGFW to fix other way.

Sure RSPAN only option you have as i see here.,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pandreozzi · ‎09-13-2021

Correct and we are addressing that issue with them. You can only get so much out of these devices before you need to span or use taps.

Seb Rupik · ‎09-13-2021

Hi there,

You could attach a linux box to the switch and SPAN the uplink port to an switchport connected to the linux box. The attached linux interface would need to be configured with ipt-netflow, from there you could process the flow data with nfdump/ nfsen, or using a second interface export the flow data to a remote collector.

Not sure how many of these switches you have, and therefore how scalable this solution would be!

cheers,

Seb.

pandreozzi · ‎09-13-2021

Hi Seb, that is a pretty good suggestion but we have over 200 switches and I am trying to avoid spans or taps. I am working with a very difficult vendor that is suggesting that I should be able to get this data but has no solutions to extract is.

Seb Rupik · ‎09-13-2021

Given that number then configuring RSPAN is your only other option, which does appear to be supported on your platform but would require additional configuration across your network to tag the RSPAN VLAN towards your designated RSPAN collector port. At that point you could deploy the linux solution described in my first post.

cheers,

Seb.

pandreozzi · ‎09-16-2021

Seb and others. I think I may have found a solution to having a view into the flows at a basic level.

Switch#show run | include access-list
ip access-list extended ip-monitor

interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ip-monitor in

Switch#show access-lists
Extended IP access list ip-monitor
10 permit ip any any log (2309 matches) >>>>>>results/rule hits

I have this going to a syslog server.

Switch#show run | include logging
logging trap debugging
logging facility syslog
logging host 192.168.1.140 transport tcp port 514

I do not see any entries on the rsyslog server

My question is how can I have this show on the switch local log.

This is a lab switch so not worried about breaking it.

balaji.bandi · ‎09-16-2021

Can you post show logging

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pandreozzi · ‎09-16-2021

Switch#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 99 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 99 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level debugging, 103 message lines logged
Logging to 192.168.1.140 (tcp port 514, audit disabled,
authentication disabled, encryption disabled, link down),
38 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled

Log Buffer (4096 bytes):
ng between port Gi1/0/5 and port Gi1/0/2
*Mar 7 19:49:26.546: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.0179 in vlan 2052 is flapping between port Gi1/0/2 and port Gi1/0/5
*Mar 7 19:50:05.545: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down
*Mar 7 19:50:06.560: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to down
*Mar 7 19:51:36.997: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up
*Mar 7 19:51:39.019: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up
*Mar 7 19:51:54.831: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.0179 in vlan 2052 is flapping between port Gi1/0/2 and port Gi1/0/5
*Mar 7 19:51:58.204: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.0179 in vlan 2052 is flapping between port Gi1/0/5 and port Gi1/0/2
*Mar 7 19:54:11.918: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 19:57:09.966: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2052, changed state to up
*Mar 7 19:58:01.858: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 19:59:58.921: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 19:59:59.919: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:00:04.021: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:00:05.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:00:28.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:00:29.749: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:00:37.609: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:00:38.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:00:48.716: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:00:49.714: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:00:58.807: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:00:59.814: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:03:16.699: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:05:15.004: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:07:41.956: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:07:42.954: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:07:54.656: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:07:55.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:08:09.009: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:08:12.440: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Mar 7 20:08:24.008: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:08:25.014: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Mar 7 20:15:34.134: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:29:56.692: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:40:44.561: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
*Mar 7 20:41:27.100: %LINK-5-CHANGED: Interface Vlan2000, changed state to administratively down
*Mar 7 20:41:27.108: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2000, changed state to down
*Mar 7 20:41:53.708: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:43:43.457: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:44:57.629: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:48:48.676: %SYS-5-CONFIG_I: Configured from console by console
*Mar 7 20:50:55.713: %SYS-5-CONFIG_I: Configured from console by console
Switch#