Happy Friday everyone!

The other day I was working with a new customer getting NetFlow export enabled on his Cisco 3800 routers. When I was explaining the concept of using the ip flow ingress command in enabling NetFlow per interface, he said:

“I have to do that on all my interfaces?!? I have like ten sub-interfaces to do.”

In reality, ten interfaces isn’t really hard to configure, but it can be… cumbersome.

So if you are enabling NetFlow on a device with LOTS of vlans, a nice quick way to get things up and running is to use the int range command.

You can do this by typing the following:

Read more »

If you checked your routers NetFlow configs, you’ll most likely find that you’re exporting NetFlow v5 templates. If you’re not sure, do a show run | i ip flow and look for:

ip flow-export version 5

With NetFlow v5, all your traffic is measured based on the ingress of an interface. What goes in, must come out, right?

This is not always the case…

Read more »

In case you haven’t noticed, NetFlow support for Cisco ASA firewalls is a hot topic around here lately. Since Mike helped you get NetFlow configured using ASDM 6.2 on your Cisco ASA, I thought I might blog about how to configure SNMP on your Cisco ASA using ASDM.

The first order of business is to navigate to the screen shown below:

Read more »

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

With flow monitoring becoming a practical solution for traffic analysis, numerous vendors have created their own version of flow export for their devices. Regardless of whether you are working with NetFlow, sFlow, Netstream, or jFlow; each device’s exportation method is similar.

Consider the command: ip flow-cache timeout active 1

I wanted to cover this command that is native to Cisco devices using NetFlow, simply because everyone forgets to use it. But before I rave about how important it is, just remember that this configuration can be found in various forms, across multiple vendors. Here’s a brief list:

Read more »

“Why don’t I see my VLAN traffic?”  was the question one of our customers asked me the other day. Although other Cisco models were exporting flows properly, it seemed that all of his Cisco 7600s were under reporting traffic.

Read more »

With network infrastructures changing faster than the weather in New England, sometimes one simple fix can create two new issues, and then tracking THOSE problems takes more time than the end solution.

With that in mind, I want to offer a couple tips that could help in troubleshooting a common Cisco NetFlow configuration issue that I run into with new and old customers alike: The problem of not getting NetFlow.

So I was thinking, what better way to help you than with a NetFlow flow chart?

Read more »

With the upcoming release of Scrutinizer v7, we’ve spent a LOT of time addressing very technical questions or findings regarding Cisco NetFlow. Whether it’s template version differences, packet capture analysis, or how cool it is to have a NetFlow license plate, it’s been covered. But I don’t think we’ve ever written a blog post about what NetFlow is and how it can help a new user.

So this one goes out to any new user who just wants to know what the hype is all about.

Simply put, NetFlow makes any Network Admin look like a rockstar. If you are asking “how?”, let me elaborate…
NetFlow is a technology developed by Cisco that monitors and records all traffic passing through the supported NetFlow router/switch. First, see this blog post for a list of devices that support NetFlow.

Is your router on the list? Good…

Read more »

It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.

A tall man walked through the door.

“Are you the Cisco NetFlow detective?” he asked.

“Yes, I am. What can I do for you?’

‘I’m in trouble, big trouble!” he said.

“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.

“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”

“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”

“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”

“We have multiple Cisco routers and three Catalyst switches.” said Joe.

“Good news Joe, they support Cisco NetFlow. This will be easy.”

Joe looked confused. “What’s Cisco NetFlow?”

“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”

After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.

“Now we need to let it gather some data. Let’s get together in the morning.”

The Next Day:

“First, let’s take a look at the firewall logs.”

As we browsed through the list something caught my attention. It appeared the attacks were coming from a 66.122.5.200 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.

We first resolved the outside IP of 66.122.5.200 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.

We ran the report and found the issue.

“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”

Soon Jimmy D and Joe were in the computer lab face-to-face with a student.

“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.

“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.

“Haven’t I seen him before?” I asked.

“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”

I started typing and the pieces started to come together… The picture wasn’t good.

“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”

“That’s not right. Ben wouldn’t have access like that…”

Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.

Joe turned to me and had a horrible look on his face.

“What wrong Joe?” I said.

“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.

“Why do you think he did this?” asked Joe.

Joe quickly turned to Ben and asked, “What do you have to say about this?”

All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.

“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben.  “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”

“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”

“Thank you Jimmy D. You have saved my position!”

“Not a problem Joe, that is my job.”

Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

I’m a geek, there is no doubt about it. I have been a geek since I was 8 years old, and my dad bought my first computer, a Timex Sinclair 1500. If you are a true geek, then you know how long I have been a geek.

Anyways, something special happened in my geekie world this weekend. Something so miraculous, something way outside of the ordinary 1’s and 0’s, that it had to be noted.

I discovered poetry…

Now this isn’t your regular coffee house poetry that can be as hideous as Vogon Poetry, which the Hitchhikers Guide to the Galaxy notes as the third worst kind of poetry in the Universe. (I said I was a card carrying geek). This poetry is dimensional; it adds temperature, sound and feelings. Most importantly, it is packed in a way that is easy for anyone to swallow. This poet’s name is Ken Nordine.

Sunday morning, I decided to sit down with my smartphone and listen. The prose that caught my attention was “Windshield Wipers.”  Suddenly, without any question, I knew that I had a mission. I needed to let people know about this undiscovered gem.

Now, you have to understand that I live in a geek-centric world. At no time did I sit down and rationalize my findings with myself. I never thought that I was the one behind, while the rest of the world had already discovered Ken’s work.

Blindly, I started to contact people.

My first goal was to contact the poet himself. I quickly Googled his site and learned all I could. I clicked the “contact me” link and happily emailed Ken. I wanted to let him know that I appreciated his work and liked his website. It was a shot in the dark but maybe, just maybe, I would get a reply…

Later that day, my phone woke up with a warm voice saying “You’ve got mail”. To my surprise, it was a short email from Ken. I was on a roll! Now I need to let others know of my findings.

A co-worker of mine was a theater major in college, so I figured that he would know about Ken. So, I quickly IM’d him, wondering if he too had run across this genius. Had he also heard Ken’s verse and enjoyed its simple and complex meanings?  He quickly replied, “NO.” Devastated, I chose to forge on with my quest. I asked him to wiki the subject so we were both on the same page.  I babbled on about how I thought it was cool that Ken emailed me back. I mean, it’s not everyday you are able to talk face to face (well, email to email) with someone of this caliber. Mitch, being the character he is, asked me if I really thought it was him, shedding doubt on the whole event . This seed of disbelief was hard to shake. In retaliation, I sent him an angry face emoticon, he replied with a “lol” and we went back to work.

So, in my last attempt to let people know that there is more to life then the complexities of Network Management,  I decided to use this experience for today’s blog. More importantly, I have added a new keyword to my tags.  I am proud to say that I can not only talk about Cisco, NetFlow and other network management wonders, but I can also discuss poetry.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

For some reason, this week I’ve been bombarded with questions regarding configuring the 6509 Catalyst for NetFlow.

Being a switch/router hybrid model, the configurations are a little different from standard CISCO routers models, like the 2811, but not too much.

I would also recommend checking out this great resource directly from CISCO to configure the 6509 Catalyst for NetFlow.

With most CISCO routers, there are two sets of commands used to enable NetFlow. However, with the 6509, there are technically three sets of commands.

To enable NetFlow on the router, you need the following:

ip flow-export source (insert interface name here)
ip flow-export version 5
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X) <---- this will enable flows for all bridged traffic
ip flow-cache timeout active 1

Once those are in place, we now need to configure NetFlow for the switched traffic:

mls nde sender version 5
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64

After you have configured these globals, you now can configure each of the interfaces themselves for NetFlow:

ip route-cache flow
ip flow ingress

I have discussed the usage of the ip route-cache flow and ip flow ingress commands before. You might want to take look for more details.

That wasn’t so bad, was it?

-Nate