HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Network Management in IP Networks

Lab 3: NetFlow Monitoring

Topology

SNMP Agent

Router2 DCE
Serial 0/0/0 Serial 0/0/1
DCE
Serial 0/0/0 Serial 0/0/1

SNMP Agent SNMP Agent

Router1 Router3

Fa 0/0 Fa 0/0 10.10.10.0/24

192.168.10.0/24

Fa 0/24 Fa 0/24

SNMP Agent SNMP Agent

SW1 SW2

Fa 0/5 Fa 0/6 Fa 0/18

PC 3
PC 1 PC 2 NetFlow
Analyzer

Page 1 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Addressing Table

Device Interface IP Address Subnet Mask Gateway

PC1 NIC 192.168.10.10 255.255.255.0 192.168.10.254

PC2 NIC 192.168.10.11 255.255.255.0 192.168.10.254

PC3 NIC 10.10.10.10 255.255.255.0 10.10.10.254

SW1 VLAN1 192.168.10.253 255.255.255.0 192.168.10.254

SW2 VLAN1 10.10.10.253 255.255.255.0 10.10.10.254

R1 Fa 0/0 192.168.10.254 255.255.255.0 NA

Serial 0/0/0 172.16.10.1 255.255.255.252 NA

R2 Serial 0/0/0 172.16.10.2 255.255.255.252 NA

Serial 0/0/1 172.16.10.5 255.255.255.252 NA

R3 Fa 0/0 10.10.10.254 255.255.255.0 NA

Serial 0/0/1 172.16.10.6 255.255.255.252 NA

Objective

The objective of this lab is to get familiar with NetFlow monitoring, get a practical view of
bandwidth usage breakdown and experience on using Cisco IP SLA.

Page 2 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Equipment and Tools

The following equipment and tools are needed to perform the laboratory exercises:
3 SNMP manageable routers with NetFlow support (Cisco 2811)
2 SNMP manageable switches (Cisco 2960)
3 PCs
cables
Trial version of NetFlow Analyzer
Trap Receiver

Working

Network Setup and Configuration

1. Set up a network as shown in the picture. Make sure that the start-up configuration file is
empty on each device. Copy the device configurations provided at the end of this
document. Verify the network connectivity (for example, ping PC3 from PC1).

2. Configure all switches and routers to support SNMP with the default community string
"public". Give read/write access with this community string.
In all the active interfaces of the routers enable SNMP ifIndex persistence with the
following command
snmp-server ifindex persist

This command allows an interface index value to persist across reboots which is useful
for greater accuracy of network management data.

Cisco NetFlow is a Cisco developed flow technology that allows bandwidth monitoring of a
network. Cisco routers/switching devices export NetFlow as UDP packets. These Cisco NetFlow
packets can be analyzed using NetFlow Analyzer, to monitor bandwidth, to gather information on
the top talkers, applications and many other features. [ManageEngine]

3. Configure NetFlow export from the global configuration mode on all routers.

Sets the NetFlow export version to version 9 (the newest one):

ip flow-export version 9

Set the source IP address of the NetFlow exports sent by the device. NetFlow Analyzer
will send SNMP requests to the device on this IP address:
ip flow-export source <one of the router active interfaces>
Page 3 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

The NetFlow cache entries should be exported to the specified IP address. Use the IP
address of the NetFlow Analyzer server running on PC2 and the configured with default
listener port:
ip flow-export destination 192.168.10.11 9996

Break up long-lived flows into 1-minute fragments:

ip flow-cache timeout active 1

Send the flow information on connections that have gone inactive every 15 seconds:
ip flow-cache timeout inactive 15

Enable NetFlow for each active router interface with following command:
ip flow ingress

Display a summary of the NetFlow statistics and make sure that NetFlow is functioning
properly:
show ip cache flow

ManageEngine NetFlow Analyzer is a traffic analytics tool that leverages flow technologies to
provide real time visibility into the network bandwidth performance. It collects, analyzes and
reports about how the network bandwidth is being used for and by whom. [ManageEngine]

4. We will install the 30-days trial version of NetFlow Analyzer on PC2.

Run the installation file C:\Users\Student\Desktop\NMS\Soft >
ManageEngine_NetFlowAnalyzer_HighPerf_9862_64bit.exe

Accept the default settings: NetFlow Analyzer will use 8080 as the default web server
port and 9996 as the default port to listen for NetFlow packets.
The default SNMP community string is public, the default SNMP port is 161.
Do not register for Technical support (leave all fields blank) and click on Skip.

5. Open the NetFlow Analyzer web interface: http://localhost:8080

Login with default username and password (admin, admin).
You might need to wait for a few minutes (~5 - 7 mins) before all three routers are
visible in NetFlow Analyzer. Go to Devices and check that R1, R2 and R3 are listed
there with all up interfaces. Click on the routers name to view the interfaces.
Page 4 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

If you see the message: Some of the interfaces have been listed as IfIndex. Enter the
router's SNMP Parameters to retrieve the interfaces names, click on the SNMP
Parameters and click Update.

Go to Dashboards and get familiar with information provided by NetFlow Analyzer. The
main dashboard provides summarized data for the whole network. You can separate data
for each device and each interface by clicking on the device name or interface name.

6. Set the correct time on R1 from privileged mode:

clock set ?
Configure R1 as NTP master from the global configuration mode:
ntp master
Configure R2 and R3 as NTP clients with following command from the global
configuration mode. Check if the routers have synced with R1. It might take some time:
ntp server <R1 ip address>
show clock

Cisco IOS IP SLAs sends data across the network to measure performance between multiple
network locations or across multiple network paths. It simulates network data, IP services and
collects network performance information in real time. Measurements provided by the various
Cisco IOS IP SLAs operations can be used for troubleshooting, for problem analysis, and for
designing network topologies. [Cisco] We will use SLA to generate different types of traffic.

7. Install Apache on PC3 from C:\Users\Student\Desktop\NMS\Soft > httpd-2.0.65-win32-

x86-no_ssl.msi
Use the following parameters:
Network domain: localhost
Server Name: localhost
Administrator's Email Address: admin@localhost
Leave the rest settings as default. Apache will be started automatically after installation.
Verify Apache installation. Open a browser on PC3 and type http://localhost in
the address bar. You should see the page confirming that the installation of the Apache
web server software was successful. Do not proceed if you cannot see this page.

Page 5 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

8. Generate traffic from R1 to HTTP server using IP SLA:

R1(config)#ip sla 1
R1(config-ip-sla)#http get http://<PC3 ip address>
R1(config-ip-sla-http)#frequency 60
R1(config-ip-sla-http)#exit

R1 will send HTTP request to PC3 every 60 seconds.

Create IP SLA schedule:

R1(config)#ip sla schedule 1 start-time now life forever

Configure R3 as a responder:
R3(config)#ip sla responder

9. Generate ICMP traffic from R1 to R3:

R1(config)#ip sla 2
R1(config-ip-sla)#icmp-echo <R3 ip address>
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#exit

Create a schedule for ip sla 2:

R1(config)#ip sla schedule 2 start now life forever

10. Set up FTP server on PC3.

On PC3, create a folder FTP on the desktop. Create a text file with any content and give
the file a short name.

Start FileZilla Server and Open Filezilla Server Interface (find the icons on the Desktop), click
OK to connect to the server.
Create a new user. Go to Edit -> Users
Add a user admin.
Tick the field Password and set the password to adminpass
Dont close Users window, go to Shared folders.
Add your FTP folder as a shared folder.
Click OK to apply settings.

Page 6 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Open in the browser ftp://10.10.10.10 and enter the username and password given above
to verify that FTP server is working and you can access the file you previously created in
the shared folder.

11. Generate FTP traffic from R1 to PC3. R1 will request the text file every 30 seconds:
R1(config)#ip sla 3
R1(config-ip-sla)#ftp get
ftp://admin:adminpass@10.10.10.10/<your_file_name>
R1(config-ip-sla-ftp)#frequency 30
R1(config-ip-sla-ftp)#exit

Create the schedule for ip sla 3 similarly to ip sla schedule 1 and 2.

12. Verify IP SLA operation:

show ip sla statistics
Make sure that it returns Latest operation return code: OK for each IP SLA
operation.

13. NetFlow Analyzer supports IP SLA monitoring VoIP, WAN and Video traffic.
We will create VoIP monitor that tests the connection between R1 and R3.
Open Netflow Analyzer web interface and go to the IPSLA tab.
Go to Settings and start creating a new monitor.

Enter a name for a monitor and choose R1 as a source router and set a source port to
16384. Enter the R3 IP address as a destination IP and click Add.
Click Submit then Apply to Device.
You should see the notification that configuration was successfully submitted to the
device.

Do not proceed if you get error messages. If the configuration cannot be submitted to the
router, check that you provided the read/write access to the router with community string
public.

Open console connection to R1 and make sure that ip sla was added to the router
configuration.

Go to All monitors and open the details by clicking on the name of the monitor.

Page 7 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

You might need to wait for a few minutes to get it working.

Make sure that Last Oper. Status is 100.0 % Success.

Find the packet loss, latency, jitter and RTT values for generated traffic.

14. Go to Devices and click on R1 to display the R1 statistics. All traffic generated by IP
SLA has to be present in the Application table.
Generated VoIP traffic is displayed as unknown traffic.
In the Application table, find unknown traffic and click Show Ports, then Add
Mapping. There you should see port 16384. Add the application name (for example,
IPT) and save the mapping. From that moment, all the new traffic from port 16384 will
be displayed as IPT. Look at the Application table and make sure that you can see IPT
there.

15. NetFlow Analyzer provides statistics for the whole network, for each device and for
each interface.
Go back to Devices tab, click on interface Serial0/0/0 of R1. You will see the graph
and numbers for the interface speed. Switching between the tabs, you can find
information about traffic volume, link utilization and number of packets sent and
received.
Go to the Application tab (in the upper row) and find out which applications generate the
highest amount of traffic.

Find the answers for the following questions:

What application causes the highest traffic percentage on R2?
Which devices participate in the top conversation for R2? Which protocol do
they use?
What is the average in and out link utilization on interface Serial0/0/1 of R3?
How much FTP traffic did R3 send on interface Serial0/0/1 (traffic OUT)?

16. NetFlow Analyzer allows you to configure alerts and set threshold values. It can be
configured to send SNMP traps or emails when a certain condition is triggered.

Install Trap Receiver on PC2 from

C:\Users\Student\Desktop\NMS\Soft\TrapReceiver720-x64>setup.exe and click next to
accept the default settings.
Page 8 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Run the program either from the short cut on the desktop or from the Start > All
Programs > Trap Receiver and find out which port the Trap Receiver listens for traps
(Trap Source).

In Trap Receiver window click Configure. Go to Mibs > Load MIB. Browse to
C:\ManageEngine\NetFlow\lib\ADVENTNET-NETFLOWANALYZER-MIB.
If you dont see this file, remove the filter which shows only *.mib and *.my files.
Click OK and tick the Translate OIDs option.
This configuration provides human-readable names for OIDs sent by NetFlow Analyzer
in SNMP traps.

Configure NetFlow Analyzer to send SNMP traps if:

router R1 receives more than 30 ICMP packets per minute on S0/0/0 interface
router R1 receives more than 100KB ICMP traffic per minute on S0/0/0 interface.

In NetFlow Analyzer, go to Alert Profiles.

Click Add to add Alert Profile.
Alert Profile Name: ICMP packets
Description: 30 packets/1 min limit exceeded
Selected Interfaces: R1 (Serial0/0/0)
Define Alert Criteria:
IN Traffic
Application: icmp
Define Thresholds and Action:
Packets:

30 packets / 1 time / 1 minute

Select action: SNMP Trap
PC2 IP address: Trap Receiver listening port: community string (public)
Save the alert configuration.

Go back to Alert Profiles and add another alert profile.

Alert Profile Name: ICMP volume
Description: 100KB/1 min limit exceeded
Selected Interfaces: R1 (Serial0/0/0)
Define Alert Criteria: IN Traffic
Application: icmp

Page 9 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Define Thresholds and Action:

Volume:
100KB / 1 time / 1 minute
Select action: SNMP Trap
PC2 IP address: Trap Receiver listening port: community string (public)
Save the alert configuration.

ICMP traffic generated by IP SLA does not exceed the limits.

Generate more ICMP traffic by pinging PC3 from PC1:
ping 10.10.10.10 t

Wait for a couple of minutes and make sure that Trap Receiver has received a trap. The
trap details can be acquired by clicking on it. Also you should see the increasing alert
counters for ICMP packets alert profile in NetFlow Analyzer.

Generate larger ICMP packets:

ping 10.10.10.10 t l 10000

This should cause both ICMP packets and ICMP volume to be generated.

This is only a simple example of how NetFlow Analyzer alerts work. Alerts can be
configured for different types of traffic with various criteria and thresholds.

References

ManageEngine Enterprise IT Management,

http://www.manageengine.com/products/netflow/

Cisco Systems,
http://tools.cisco.com/search/results/en/us/get#q=netflow

Page 10 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

Device Configurations

R1

hostname R1
!
no ip domain-lookup
!
interface f0/0
ip address 192.168.10.254 255.255.255.0
no sh
!
interface Serial0/0/0
ip address 172.16.10.1 255.255.255.252
clock rate 64000
no sh
!
router ospf 1
network 172.16.10.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
!
line con 0
logging synchronous
!
end

Page 11 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

R2

hostname R2
!
no ip domain lookup
!
interface Serial0/0/0
ip address 172.16.10.2 255.255.255.252
no sh
!

interface Serial0/0/1
ip address 172.16.10.5 255.255.255.252
clock rate 64000
no sh
!
router ospf 1
network 172.16.10.0 0.0.0.3 area 0
network 172.16.10.4 0.0.0.3 area 0
!
line con 0
logging synchronous
!
end

Page 12 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

R3

!
hostname R3
!
no ip domain lookup
!
interface f0/0
ip address 10.10.10.254 255.255.255.0
no sh
!
interface Serial0/0/1
ip address 172.16.10.6 255.255.255.252
no sh
!
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
network 172.16.10.4 0.0.0.3 area 0
!
line con 0
logging synchronous
!
end

Page 13 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

SW1

hostname SW1
!
no ip domain-lookup
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4

shutdown
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!

Page 14 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
!

Page 15 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 192.168.10.253 255.255.255.0
no sh
!
ip default-gateway 192.168.10.254
!
!
line con 0
logging synchronous
!
end

SW2

hostname SW2
!
no ip domain-lookup
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3

shutdown
!
interface FastEthernet0/4
shutdown
!

Page 16 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown

Page 17 of 18
 HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES

!
interface FastEthernet0/18

!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 10.10.10.253 255.255.255.0
no sh
!
ip default-gateway 10.10.10.254
!
line con 0
logging synchronous
!
end

Page 18 of 18