Configuring Cisco Netflow

Posted on 2006-05-02
Last Modified: 2010-04-06
I got a call today.  A machine on my network is performing a port scan on my ISP's customer's server.  They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address.  How can I setup netflow on my cisco 3550, to show my culprit internal address?  I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?

I'm looking for specifics.  I'm a cisco newbie, and the online docs are a little over my head for netflow.
Question by:cerminad
    LVL 9

    Expert Comment

    It looks like a machine in your network is trying to establish an IKE Security Association (SA), which is the first phase in bringing up an IPSec tunnel. Thats pretty strange considering its directed at a machine it shouldnt be. Maybe there is some vulnerability that a worm has been created to exploit this protocol. Either way you should start blocking the traffic from flowing out of your network ASAP while you try to determine the cause. This way you minimize the spread of the worm if it is one.

    Then you have a few options- you could kill two birds with one stone and throw it in an acl that blocks this traffic and logs it and then watch the logs. You could even run a sniffer on yor LAN if your switch has a monitor port. You seem to want to get info on netflow in particular. I have not used it, but i am sure someone who has will speak up soon too....

    Good luck!
    LVL 6

    Accepted Solution

    To enable netflow on your switch add this to the switch config.

    Telnet to the switch, login

    #conf t
    (config)#ip flow-cache timeout active 1

    On the interface you want to run netflow add the the below config command, where fe1 is replaced by you interface type and number. Type a '?' to see the available command options. ie. 'int ?' or 'int ether?' etc.

    (config)#int fe1  
    (config-if)#ip route-cache flow
    (config)#ip flow-export version 5
    (config)#ip flow-export destination <dest ip> <dest port>

    dest ip and port point to your netflow collector running on another host.

    Note: Netflow is only available on some versions of the 3550 and it depends on the IOS version running.

    The PRTG guys offer a free Netflow test tool to see if it working, plus a little guide to tweaking your netflow setup.

    Regards Rob


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    Let’s list some of the technologies that enable smooth teleworking. 
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now