Solved: Sending netflow data to a PC outside the network?

dsifanatic · ‎05-11-2016

Hello,

I've been given a network containing the following:

- 1 router

- 1 switch

- Several workstation computers

The only access I have is via SSH to the router and nothing else.

I need to recommend a suitable upgrade option for the router which is reaching the 10 year mark, and want to know what kind of load / performance it currently has by using Netflow.

Although I can configure Netflow on the router, I can't figure out how to "send" the results to my computer which is sitting on an outside network.

I'm aware that there is a command that allows you to specify the destination IP and port, but I don't know how to figure out what port my PC is on or whether I need to configure anything else on my PC to receive the results.

Simple question for most of you I know, but am only just starting out and would appreciate some help.

Thanks!

Tim Y · ‎05-11-2016

Hi there,

Using a Netflow analyzer is the only way you're going to get the full story though. The fancy graphs are useful because they're using days/weeks/months of data, and putting them together to provide insights.

That said, if you want to view the active flows, you can do so with this command:

show flow monitor <flow monitor> cache format table

It's fun to watch what's going on, however you won't get the full story. If you need more access to set up what you need so you can make a proper recommendation on the new router, it might be a good idea to push for it.

If they have a SSL VPN or something like that, you could connect to it and point the exporter there. The only challenge is that you'll have to ensure you don't get disconnected and that your IP remains the same.

Hopefully there is a solution that you can use!

Regards,

Tim

View solution in original post

Tim Y · ‎05-11-2016

Hi,

It depends on the router version and code you're using, but one way is to set up a flow exporter and a flow monitor to do this.

Here is an example for you:

flow exporter YOUR_PC

destination 192.168.1.1

transport udp 2055

!

flow monitor EXAMPLE

exporter YOUR_PC

record netflow-original

!

interface GigabitEthernet0/0

ip flow monitor EXAMPLE input

More detail at: http://www.internetworkingcareer.com/blog/how-to-set-up-netflow-on-your-router/

Hope this helps.

Regards,

Tim

dsifanatic · ‎05-11-2016

Thanks for the response Tim.

I'm still confused. I was aware of how to get Netflow configured on my router, just confused on how to export the data collected from this.

To make sure I'm understanding this clearly, if I had network as per the attachment, then used the command format you had provided, should the commands read like the following? Solarwinds analyzer would be sitting on the ME pc with the IP 192.168.1.184

flow exporter MONITOR_PC

destination 192.168.1.184

transport udp 2055

!

flow monitor BASELINE

exporter MONITOR_PC

record netflow-original

!

interface GigabitEthernet0/0

ip flow monitor BASELINE input

Tim Y · ‎05-11-2016

Hi there,

Thanks for the diagram. When you said your PC was on another network, I was thinking a different subnet. If you're on the Internet then you need to set up NAT on the gateway of where your PC is located.

For example, let's say your PC (192.168.1.184) is behind a router that is connected to the Internet. Your router has a WAN IP of 1.1.1.1.

You need to have the flow exporter destination set to 1.1.1.1. Then set up a NAT on your router to translate packets destined for 1.1.1.1 on udp/2055 to 192.168.1.184

Though keep in mind that people don't typically do this. You're basically sending sensitive information over the Internet unencrypted. Not something I would recommend.

Regards,

Tim

dsifanatic · ‎05-11-2016

Ah right... I understand.

Unfortunately I am tied to my company's network, and don't have access to our router so wouldn't be able to forward ports on it, and as you say, it would be unsafe.

As I wouldn't want to compromise any sensitive information, would you happen to know off the top of your head, how I would get similar information through the CLI?

Although the fancy graphs would have been useful for the recommendation write-up, I'm really just interested to know what sort of load requirements, features etc they would need in a new router and happy to troll through results myself and try to make sense of it (would probably be more beneficial to my learning as well).

Cheers

Tim Y · ‎05-11-2016

Hi there,

Using a Netflow analyzer is the only way you're going to get the full story though. The fancy graphs are useful because they're using days/weeks/months of data, and putting them together to provide insights.

That said, if you want to view the active flows, you can do so with this command:

show flow monitor <flow monitor> cache format table

It's fun to watch what's going on, however you won't get the full story. If you need more access to set up what you need so you can make a proper recommendation on the new router, it might be a good idea to push for it.

If they have a SSL VPN or something like that, you could connect to it and point the exporter there. The only challenge is that you'll have to ensure you don't get disconnected and that your IP remains the same.

Hopefully there is a solution that you can use!

Regards,

Tim

dsifanatic · ‎05-11-2016

Oh dear...

I do have some experience with setting up different types of VPNs so I think I will have to just request permission to set one up so I can run the analyzer off my machine and get the information needed.

Many thanks for your response! You have been very helpful :)

Tim Y · ‎05-11-2016

You're welcome. Good luck!