Solved

Cisco router netflow question

Posted on 2010-11-16
5
1,045 Views
Last Modified: 2012-05-10
I have a need to setup accurate bandwidth monitoring temporarily to identify some issues with bandwidth consumption.  To do this I understand I need to use netflow which is only available through a router.  The problem is that I already have a firewall in place (a Juniper SSG).  I have a Cisco PIX or ASA at my disposal but they too do not support netflow.  My question is how can I setup a router to act transparently on the inside of my firewall to enable netflow and get accurate bandwidth statistics?  It's nothing permanent.  I just need to let it run for a week or so which is why I don't want to go through the hassle of getting a router with the firewall options, etc etc etc.  I want to leave the current firewalls in place and drop in a router periodically to do some bandwidth testing then pull it out and drop it in another location at some other point.  Kind of a mobile bandwidth monitoring idea.

Can anyone tell me how I can setup my Cisco 2600 to function transparently to achieve this goal?  I don't want to setup a double NAT or change my firewall to run transparently and have the router do the NAT since that'll require too much work to simply drop it in, run bandwidth captures for a week, then pull it out.

Thanks
0
Comment
Question by:tekrage
  • 3
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
To set up a router "transparently" you're really talking about bridging between interfaces.  There are a bunch of different ways of bridging, but the simplest is to specify the bridge protocol (usually ieee) and then put one or more interfaces in the bridge group.

bridge 1 protocol ieee

interface fa0/0
bridge-group 1

interface fa0/1
bridge-group 1  

There's a white paper on cisco.com that gives more examples at http://www.cisco.com/en/US/tech/tk331/tk660/technologies_tech_note09186a0080094471.shtml#ex1

I don't know anyone that's mixed the two technologies, but I don't see anything that looks like they are incompatible.
0
 
LVL 2

Author Comment

by:tekrage
Comment Utility
Do you know if netflow will work with ieee?
0
 
LVL 2

Author Comment

by:tekrage
Comment Utility
Also can you tell me how I would physically set this up?  In other words, do I plug eth0 into my core network switch and plug eth1 into my firewall's internal interface?

Do I assign IP addresses to eth0 & 1?  Or do I leave them with no IP addresses?  I've never used netflow before so some of this is foreign to me.

Thanks!
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
I don't know for sure that it will work with bridging, but as I said, I don't see anything that specifically says it won't.  However, integration of the two technologies will mean you will need some layer 3 information on the router if you want to send the netflow information to a collector.  So my guess is what you need to do is what Cisco calls integrated routing and bridging, or IRB.  I can't guarantee this will work, but try this configuration on the router:

bridge irb

int fa0/0
bridge-group 1

int fa0/1
bridge-group 1

int bvi1
ip address <address> <mask>

bridge 1 prot ieee
bridge 1 route ip

ip route 0.0.0.0 0.0.0.0 <next-hop IP address>


The address on the BVI (bridge virtual interface) should be in the same subnet as the layer 3 endpoints that the interfaces are bridging.  It's like putting a VLAN interface on a switch.  With bridging, you do not assign IP addresses to the interfaces (remember, bridging is layer 2 and IP addressing is layer 3), you simply add them to the bridge group.

For netflow, the general commands are:

ip flow-export <ip address> <udp port> version <version number>

interface fa0/0
ip route-cache flow

Again, I make no promises this will work.  You may have to look in the documentation for the syntax of the flow-export command, I suspect there are variations depending on the version of IOS you're using.  It's also possible there will be feature-set issues, meaning netflow may not be supported in all feature sets such as IP Base.  

Let me know how it goes....
0
 
LVL 2

Author Comment

by:tekrage
Comment Utility
I've been away and haven't had time to try this out but I'm going to try to test it out this weekend.  It's about the best solution I've seen so far!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now