• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2112
  • Last Modified:

Configuring Cisco Netflow

I got a call today.  A machine on my network is performing a port scan on my ISP's customer's server.  They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address.  How can I setup netflow on my cisco 3550, to show my culprit internal address?  I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?

I'm looking for specifics.  I'm a cisco newbie, and the online docs are a little over my head for netflow.
0
cerminad
Asked:
cerminad
1 Solution
 
conradieCommented:
It looks like a machine in your network is trying to establish an IKE Security Association (SA), which is the first phase in bringing up an IPSec tunnel. Thats pretty strange considering its directed at a machine it shouldnt be. Maybe there is some vulnerability that a worm has been created to exploit this protocol. Either way you should start blocking the traffic from flowing out of your network ASAP while you try to determine the cause. This way you minimize the spread of the worm if it is one.

Then you have a few options- you could kill two birds with one stone and throw it in an acl that blocks this traffic and logs it and then watch the logs. You could even run a sniffer on yor LAN if your switch has a monitor port. You seem to want to get info on netflow in particular. I have not used it, but i am sure someone who has will speak up soon too....

Good luck!
0
 
RobArdillCommented:
To enable netflow on your switch add this to the switch config.

Telnet to the switch, login

>enable
--->password
#conf t
(config)#ip flow-cache timeout active 1

On the interface you want to run netflow add the the below config command, where fe1 is replaced by you interface type and number. Type a '?' to see the available command options. ie. 'int ?' or 'int ether?' etc.

(config)#int fe1  
(config-if)#ip route-cache flow
(config-if)#exit
(config)#ip flow-export version 5
(config)#ip flow-export destination <dest ip> <dest port>
(config)#wr

dest ip and port point to your netflow collector running on another host.

Note: Netflow is only available on some versions of the 3550 and it depends on the IOS version running.

The PRTG guys offer a free Netflow test tool to see if it working, plus a little guide to tweaking your netflow setup.

http://www.paessler.com/support/kb/questions/20/Configuration-Tips-for-Cisco-Routers-and-PRTG


Regards Rob





0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now