Configuring Cisco Netflow

I got a call today.  A machine on my network is performing a port scan on my ISP's customer's server.  They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address.  How can I setup netflow on my cisco 3550, to show my culprit internal address?  I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?

I'm looking for specifics.  I'm a cisco newbie, and the online docs are a little over my head for netflow.
Who is Participating?
RobArdillConnect With a Mentor Commented:
To enable netflow on your switch add this to the switch config.

Telnet to the switch, login

#conf t
(config)#ip flow-cache timeout active 1

On the interface you want to run netflow add the the below config command, where fe1 is replaced by you interface type and number. Type a '?' to see the available command options. ie. 'int ?' or 'int ether?' etc.

(config)#int fe1  
(config-if)#ip route-cache flow
(config)#ip flow-export version 5
(config)#ip flow-export destination <dest ip> <dest port>

dest ip and port point to your netflow collector running on another host.

Note: Netflow is only available on some versions of the 3550 and it depends on the IOS version running.

The PRTG guys offer a free Netflow test tool to see if it working, plus a little guide to tweaking your netflow setup.

Regards Rob

It looks like a machine in your network is trying to establish an IKE Security Association (SA), which is the first phase in bringing up an IPSec tunnel. Thats pretty strange considering its directed at a machine it shouldnt be. Maybe there is some vulnerability that a worm has been created to exploit this protocol. Either way you should start blocking the traffic from flowing out of your network ASAP while you try to determine the cause. This way you minimize the spread of the worm if it is one.

Then you have a few options- you could kill two birds with one stone and throw it in an acl that blocks this traffic and logs it and then watch the logs. You could even run a sniffer on yor LAN if your switch has a monitor port. You seem to want to get info on netflow in particular. I have not used it, but i am sure someone who has will speak up soon too....

Good luck!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.