1 、思科路由器netflow 配置
1.1 netflow V5配置
以思科7200设备为例:
Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(10a), RELEASE SOFTWARE (fc2)
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
ip cef
interface GigabitEthernet0/1
ip address 15.15.15.1 255.255.255.0
ip flow ingress
ip route-cache flow
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
ip address 20.20.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/3
ip address 90.90.90.10 255.255.255.0
duplex auto
speed auto
media-type rj45
no negotiation auto
!
ip flow-export source GigabitEthernet0/3
ip flow-export version 5
ip flow-export destination 90.90.90.90 9996
命令行说明:
全局配置:
ip flow-cache timeout active 1
设置netflow记录活动超时时间,分割活动期长的流为1分钟的片段。你可以选择1到60之间的任何分钟值。如果使用缺省的30分钟,则流量报告也许会许多尖峰。为了生成告警和显示故障排除数据设定该值为1分钟非常重要。
ip flow-cache timeout inactive 15
保证定期输出完成的流。缺省值为15秒,可以选择10到600之间的任何值。如果选择的值大于250秒。也许 NetFlow分析仪将报告流量值太低的错误。
ip flow-export source GigabitEthernet0/3
设定netflow发送的源地址
ip flow-export destination 90.90.90.90 9996
设定netflow发送的目的地址和目的端口号
ip flow-export version 5
设定netflow输出的版本为v5
接口配置:
ip flow ingress
ip route-cache flow
接口下启用netflow并采集进入此接口的流量此为单向采集流量,若要采集双向流量需要配置ip flow egress。
注意:. 当同时在进出接口使用 ip flow ingress和 ip flow egress时,会导致接受完全一样的数据包,一般情况,只在入口或者出口配置netflow。
另外还有几条查看命令:
R3#show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 90.90.90.90 (9996) 172.18.1.88 (9996)
Exporting using source interface GigabitEthernet0/3
Version 5 flow records
368989095 flows exported in 12306312 udp datagrams
0 flows failed due to lack of export packet
17 export packets were sent up to process level
0 export packets were dropped due to no fib
416 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
R3#show ip cache flow
IP packet size distribution (61706M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .005 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.988 .000 .000 .000 .004 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
65527 active, 9 inactive, 184774820 added
681737392 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 1647240 bytes
65527 active, 16393 inactive, 184774820 added, 184774820 added to flow
0 alloc failures, 117266 force free
5 chunks, 7 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 1024172 2.8 3 59 10.1 2.0 2.9
TCP-FTPD 510383 1.4 3 392 5.4 1.1 3.1
TCP-WWW 118698871 330.1 4 728 1615.8 2.9 3.5
TCP-SMTP 2200615 6.1 7 766 42.9 2.9 2.3
TCP-X 223 0.0 3 96 0.0 3.1 3.3
TCP-other 20942270 58.2 4 111 248.8 2.9 2.9
UDP-DNS 12599428 35.0 1 72 47.5 1.8 5.2
UDP-NTP 1206400 3.3 2207 494 7405.8 61.0 0.0
UDP-TFTP 1112 0.0 44961 494 139.0 60.9 0.0
UDP-other 27534647 76.5 2116 493 162119.9 46.8 0.8
Total: 184718121 513.7 334 495 171635.6 9.7 3.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/1 15.15.15.41 Gi0/2 20.20.20.148 06 B80E 0050 1
Gi0/1 15.15.15.249 Gi0/2 20.20.20.197 06 B80E 0050 2
Gi0/1 15.15.15.235 Gi0/2 20.20.20.176 06 B851 0050 3
Gi0/1 15.15.15.195 Gi0/2 20.20.20.117 06 B9F7 0050 4
Gi0/1 15.15.15.62 Gi0/2 20.20.20.129 06 EAAF 528B 9
Gi0/1 15.15.15.216 Gi0/2 20.20.20.130 06 B9AE 0050 2
Gi0/1 15.15.15.134 Gi0/2 20.20.20.134 06 B9CF 0050 1
Gi0/1 15.15.15.222 Gi0/2 20.20.20.131 06 B995 0050 4
Gi0/1 15.15.15.102 Gi0/2 20.20.20.159 06 B88E 0014 6
Gi0/1 15.15.15.51 Gi0/2 20.20.20.113 06 B86F 0050 1
Gi0/1 15.15.15.47 Gi0/2 20.20.20.107 06 EA77 527E 5
Gi0/1 15.15.15.187 Gi0/2 20.20.20.113 06 4FF2 F645 6
Gi0/1 15.15.15.109 Gi0/2 20.20.20.162 06 B8C7 0050 1
Gi0/1 15.15.15.163 Gi0/2 20.20.20.130 06 B9E2 0050 1
R3#
R3#show ip cache verbose
IP routing cache 0 entries, 0 bytes
1 adds, 1 invalidates, 0 refcounts
Minimum invalidation interval 2 seconds, maximum interval 5 seconds,
quiet interval 3 seconds, threshold 0 requests
Invalidation rate 0 in last second, 0 in last 3 seconds
Last full cache invalidation occurred 4d00h ago
Prefix/Length Age Interface Next Hop
R3
1.2 netflow V9配置
R3#show running-config
Building configuration...
Current configuration : 1628 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip flow-cache timeout active 1
!
!
ip cef
!
!
controller E1 1/0
!
controller E1 1/1
!
controller E1 2/0
!
controller E1 2/1
!
!
!
!
!
interface GigabitEthernet0/1
ip address 50.0.0.1 255.255.0.0
ip flow ingress
ip route-cache flow
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
ip address 27.192.0.1 255.255.0.0
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/3
ip address 90.90.90.10 255.255.255.0
duplex auto
speed auto
media-type rj45
no negotiation auto
!
ip flow-export source GigabitEthernet0/3
ip flow-export version 9
ip flow-export destination 90.90.90.90 9996
ip flow-export destination 172.18.1.220 9996
!
R3#
2、 华为交换机netstream配置
华为交换机的netflow配置命令如下:
将交换机XG0/1和XG0/2 划分到相同vlan或者不同VLAN并配置IP地址
收集接口XG0/0/1的进出流量
interface XG0/1
ip netstream inbound
ip netstream outbound
ip netstream sample fix-packets 1 inbound
ip netstream sample fix-packets 1 outbound(采样比为1)
收集接口XG0/0/2的进出流量
interface XG0/2
ip netstream inbound
ip netstream outbound
ip netstream sample fix-packets 1 inbound
ip netstream sample fix-packets 1 outbound(采样比为1)
给交换机g0/9配置IP地址为9.9.9.1
设备与交换机相连接口配置IP地址为9.9.9.10
配置netstream数据包的源ip 目的ip和目的端口
ip netsream export source 9.9.9.1
ip netsream export host 9.9.9.10 9995
ip netsream export version 5(默认为版本5)
华为交换机netflow v9的配置与上述类似,只是将版本换成v9。ip netsream export version 9。
2.1 netstream V5配置
华为交换机的netflow配置命令如下:
将交换机G0/0/12和G0/0/14 划分到相同vlan或者不同VLAN并配置IP地址
收集接口G0/0/12的进出流量
interface G0/0/12
ip netstream inbound
ip netstream outbound
ip netstream sample fix-packets 1 inbound
ip netstream sample fix-packets 1 outbound(采样比为1)
收集接口G0/0/14的进出流量
interface G0/0/14
ip netstream inbound
ip netstream outbound
ip netstream sample fix-packets 1 inbound
ip netstream sample fix-packets 1 outbound(采样比为1)
给交换机g0/0/17配置为99.99.99.99
设备与交换机相连接口配置IP地址为99.99.99.100
配置netstream数据包的源ip 目的ip和目的端口
ip netstream export source 99.99.99.99
ip netstream export host 99.99.99.100 9996
ip netsream export version 5(默认为版本5)
华为交换机netflow v9的配置与上述类似,只是将版本换成v9。ip netsream export version 9。
配置如下:
!Software Version V200R003C00SPC300
ip netstream timeout active 60
ip netstream timeout inactive 10
ip netstream export version 5
ip netstream export source 99.99.99.99
ip netstream export host 99.99.99.100 9996
ip netstream export host 8.8.8.8 9996
#
interface Vlanif22
ipv6 enable
ip address 20.20.20.1 255.255.0.0
ipv6 address 9000::1/64
#
interface Vlanif33
ipv6 enable
ip address 15.15.15.1 255.255.0.0
ipv6 address 8000::1/64
interface Vlanif888
ip address 8.8.8.7 255.255.255.0
#
interface Vlanif999
ip address 99.99.99.99 255.255.255.0
#
i
interface GigabitEthernet0/0/12
port link-type access
port default vlan 33
ip netstream inbound
ip netstream outbound
ip netstream sampler fix-packets 1 inbound
port-mirroring to observe-port 2 inbound
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
port link-type access
port default vlan 22
#
interface GigabitEthernet0/0/15
port link-type access
#
interface GigabitEthernet0/0/17
port link-type access
port default vlan 999
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 888
2.2 netstream V9配置
!Software Version V200R003C00SPC300
ip netstream timeout active 60
ip netstream timeout inactive 10
ip n2etstream export version 9
ip netstream export source 99.99.99.99
ip netstream export host 99.99.99.100 9996
ip netstream export host 8.8.8.8 9996
#
interface Vlanif22
ipv6 enable
ip address 20.20.20.1 255.255.0.0
ipv6 address 9000::1/64
#
interface Vlanif33
ipv6 enable
ip address 15.15.15.1 255.255.0.0
ipv6 address 8000::1/64
interface Vlanif888
ip address 8.8.8.7 255.255.255.0
#
interface Vlanif999
ip address 99.99.99.99 255.255.255.0
#
i
interface GigabitEthernet0/0/12
port link-type access
port default vlan 33
ip netstream inbound
ip netstream outbound
ip netstream sampler fix-packets 1 inbound
port-mirroring to observe-port 2 inbound
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
port link-type access
port default vlan 22
#
interface GigabitEthernet0/0/15
port link-type access
#
interface GigabitEthernet0/0/17
port link-type access
port default vlan 999
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 888
