+ Reply to Thread
Results 1 to 10 of 10

Thread: Netflow help

  1. Senior Member
    Join Date
    May 2014
    Location
    NJ
    Posts
    858

    Certifications
    CCNP: R&S, CCDA, CCNA: Security, CCNA: R&S, MTA: Networking Fundamentals, Security+, Network+, Linux+, A+, Project+
    #1

    Default Netflow help

    Hey folks,

    I would like to implement Netflow into my environment. Never-mind the back end collector, I have not figured out that part of the equation yet (previously used Solarwinds though). I am unsure how to get started with the way my environment is laid out. Our branch offices consist of routers capable of the job and is nothing new to me, but our HQ and DRDC environments have me a bit puzzled. Our Nexus 5500 core appears to not support Netflow, which is where things like the load-balancers and server-farms plug into. Our access-layer consists of a variety of switches, such as 3650s,3750s, 6500s, etc. I have never set up netflow on a layer 2 device and am not even sure if it is possible. Setting netflow up on the edge router will be useless, as all traffic will appear to come from our public address. That leaves the ASA, but I am not sure if that is something we would want to do either. Does anyone here have suggestions? I have been reading some articles trying to figure this out, but am a bit puzzled.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Sep 2016
    Location
    VA
    Posts
    420

    Certifications
    CISSP, PMP, CCNP, FITSP-M
    #2
    Suggest you post this in the Cisco area, not the general "off-topic" area.
    2017: CCNP (done), FITSI-M (done) CCIE Written
    2018: CCIE R/S
    2019: VCP (DCV/NV), OSCP
    2020-1: MBA
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    May 2014
    Location
    NJ
    Posts
    858

    Certifications
    CCNP: R&S, CCDA, CCNA: Security, CCNA: R&S, MTA: Networking Fundamentals, Security+, Network+, Linux+, A+, Project+
    #3
    Maybe. This section is for technology but not certs so seemed promising, but if nothing turns up then maybe.
    Reply With Quote Quote  

  5. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,665

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #4
    This is the perfect area to spot this type of question. It's not related to a certification.


    Netflow is mostly supported on routers only so you're probably not going to have much luck with an L2 core. Why would it be an issue for public IP addresses to appear in your netflow data? Can you not trace your important services back to a NAT?
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    May 2014
    Location
    NJ
    Posts
    858

    Certifications
    CCNP: R&S, CCDA, CCNA: Security, CCNA: R&S, MTA: Networking Fundamentals, Security+, Network+, Linux+, A+, Project+
    #5
    Quote Originally Posted by networker050184 View Post
    This is the perfect area to spot this type of question. It's not related to a certification.


    Netflow is mostly supported on routers only so you're probably not going to have much luck with an L2 core. Why would it be an issue for public IP addresses to appear in your netflow data? Can you not trace your important services back to a NAT?
    Hey networker. The core is layer 3, but on Nexus 5500UP series switches, which do not seem to support netflow. We can do netflow on the edge router, and we can see traffic from one public IP is all user traffic, traffic from another is this set of servers, etc etc. It's not bad, but it's not totally granular either. If some guy is torrenting all day or streaming or whatever, I still can't track it down. But your idea beats nothing.
    Reply With Quote Quote  

  7. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #6
    Check out Stealthwatch. If you use it to collect Netflow on your edge routers/firewalls, it'll do NAT stitching where you can see pre-NAT and post-NAT IPs. If you use Cisco Routers with NBAR2, you can also collect URI information. It's pretty useful for keeping long term storage for the flow records as well since it does flow stitching (each netflow record is unidirectional so it takes both records that are going each way and stitches it together to one flow record) and dedepulication (removing duplicate netflow records). That might solve the problem you're looking to solve and depending on the size of the environment and the size of the flow collector, you'll probably end up with 6 months to 12 months of records retention for every netflow conversation
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    May 2014
    Location
    NJ
    Posts
    858

    Certifications
    CCNP: R&S, CCDA, CCNA: Security, CCNA: R&S, MTA: Networking Fundamentals, Security+, Network+, Linux+, A+, Project+
    #7
    Quote Originally Posted by Iristheangel View Post
    Check out Stealthwatch. If you use it to collect Netflow on your edge routers/firewalls, it'll do NAT stitching where you can see pre-NAT and post-NAT IPs. If you use Cisco Routers with NBAR2, you can also collect URI information. It's pretty useful for keeping long term storage for the flow records as well since it does flow stitching (each netflow record is unidirectional so it takes both records that are going each way and stitches it together to one flow record) and dedepulication (removing duplicate netflow records). That might solve the problem you're looking to solve and depending on the size of the environment and the size of the flow collector, you'll probably end up with 6 months to 12 months of records retention for every netflow conversation
    Awesome, I'll look into this. Thank you.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    May 2014
    Location
    NJ
    Posts
    858

    Certifications
    CCNP: R&S, CCDA, CCNA: Security, CCNA: R&S, MTA: Networking Fundamentals, Security+, Network+, Linux+, A+, Project+
    #8
    Quote Originally Posted by Iristheangel View Post
    Check out Stealthwatch. If you use it to collect Netflow on your edge routers/firewalls, it'll do NAT stitching where you can see pre-NAT and post-NAT IPs. If you use Cisco Routers with NBAR2, you can also collect URI information. It's pretty useful for keeping long term storage for the flow records as well since it does flow stitching (each netflow record is unidirectional so it takes both records that are going each way and stitches it together to one flow record) and dedepulication (removing duplicate netflow records). That might solve the problem you're looking to solve and depending on the size of the environment and the size of the flow collector, you'll probably end up with 6 months to 12 months of records retention for every netflow conversation
    It looks very cool, but it seems to do way more than what I need. Unfortunately, we use some free stuff for graphing stats from SNMP. I hate it, it's hard to use, but it's probably going to be our netflow collector. I have never done netflow on an ASA. It seems possible but with limitations. What are your thoughts on that?
    Reply With Quote Quote  

  10. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #9
    It's fine on an ASA. If can send NSEL data that gives metrics on the flows, NAT information, and flow action (denied, allow, etc). Don't expect URL information though
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  11. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #10
    Note: If you can dissemble the raw flow, you'll get that NAT data. It's just going to be a lot more manual
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks