Networking Question

the_Grinch · June 2014

I had a networking question that I am hoping you guys can help me out with. Setup is as follows:

Internet-->Router-->Switch-->Firewall-->Switch-->Servers

Now the issue is a claim that the Netflow data we had is somehow reversed (thus in is out and out is in). I know that depending on the placement of the device you are collecting Netflow from this is a possibility. But in this case I am collecting Netflow data directly from the Router. The logs from the firewall confirm what I am seeing in Netflow, but there is some dispute as to whether or not the data has been flipped. Given that information is that even remotely a possibility?

Dieg0M · June 2014

Netflow data reversed? Do you mean src and dst reversed? This will depend if you are configuring ingress or egress netflow and on what interface.

Heero · June 2014

Probably something set up wrong on the netflow collector. Netflow doesn't really distinquish between "in" and "out." It just collects flows as specified and sends them to the netflow collector. Take a look at the format of a flow record. It will record things like src/dst IP, src/dst port, input/output interface, etc...

If you want to see all inbound traffic, you would probably just want to set up a filter against either the src or dst interface field, but you could also do by IP range.

Here is a link to a flow record format for V7 NetFlow Export Datagram Format - Cisco

It is even cooler if your device support flexible netflow (v9) where you can create your own netflow records. We use a predefined v9 record that creates flows based on src/dst AS because we want to see which ASNs we send/receive the most traffic from. Instead of a unique flow for each connection, it is a single unique flow per src/dst ASN pair, which eases storage requirements from ~50gig a day to virtually nothing.

Rid yourself of the "inbound" and "outbound" mentality to netflow. Just sample all input and all output on the interface and then use filters with your netflow collector software to create specific views such as inbound, outbound, inbound/outbound for a specific IP range, etc....

EDIT: Though I should add that if you only configured netflow to collect in one direction, maybe you got either the direction wrong, or the port wrong (internal vs external interface). However, it is best to collect in both directions so you have the full netflow data and then just filter the flow data to view whatever specific flows you want. Flows by nature are unidirectional, so you will record two flows for a single connection between two hosts, one for the inbound and one for the outbound.

the_Grinch · June 2014

Excellent! Thanks for the info guys! I can filter by in and out on the interfaces so I believe we have everything setup correctly. The point is probably moot at this point, but this was also a learning moment that I didn't want to pass up.

lilysimith · June 2014

You must have NetFlow accounting configured on your router before you can use this command.

The NetFlow accounting minimum prefix mask allows you to set a minimum mask size for the traffic that will be added to the NetFlow aggregation cache. The source or destination IP address (depending on the type of aggregation cache that you are configuring) is ANDed with the larger of the two masks (the mask that you enter with the mask command and the mask in the IP routing table) to determine if the traffic should be added to the aggregation cache that you are configuring.

To enable the minimum prefix mask for a particular aggregation cache, configure the desired minimum mask value using the NetFlow aggregation cache commands. The minimum mask value in the range of 1-32 is used by the router defines the granularity of the NetFlow data that is collected:

•For coarse NetFlow collection granularity, select a low minimum mask value.

•For fine NetFlow collection granularity, select a high minimum mask value.

Networking Question

Comments