Professional Documents
Culture Documents
NMS Lab3 NetFlow Monitoring
NMS Lab3 NetFlow Monitoring
NMS Lab3 NetFlow Monitoring
Topology
SNMP Agent
Router2 DCE
Serial 0/0/0 Serial 0/0/1
DCE
Serial 0/0/0 Serial 0/0/1
Router1 Router3
Fa 0/24 Fa 0/24
SW1 SW2
PC 3
PC 1 PC 2 NetFlow
Analyzer
Page 1 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
Addressing Table
Objective
The objective of this lab is to get familiar with NetFlow monitoring, get a practical view of
bandwidth usage breakdown and experience on using Cisco IP SLA.
Page 2 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
The following equipment and tools are needed to perform the laboratory exercises:
3 SNMP manageable routers with NetFlow support (Cisco 2811)
2 SNMP manageable switches (Cisco 2960)
3 PCs
cables
Trial version of NetFlow Analyzer
Trap Receiver
Working
1. Set up a network as shown in the picture. Make sure that the start-up configuration file is
empty on each device. Copy the device configurations provided at the end of this
document. Verify the network connectivity (for example, ping PC3 from PC1).
2. Configure all switches and routers to support SNMP with the default community string
"public". Give read/write access with this community string.
In all the active interfaces of the routers enable SNMP ifIndex persistence with the
following command
snmp-server ifindex persist
This command allows an interface index value to persist across reboots which is useful
for greater accuracy of network management data.
Cisco NetFlow is a Cisco developed flow technology that allows bandwidth monitoring of a
network. Cisco routers/switching devices export NetFlow as UDP packets. These Cisco NetFlow
packets can be analyzed using NetFlow Analyzer, to monitor bandwidth, to gather information on
the top talkers, applications and many other features. [ManageEngine]
3. Configure NetFlow export from the global configuration mode on all routers.
Set the source IP address of the NetFlow exports sent by the device. NetFlow Analyzer
will send SNMP requests to the device on this IP address:
ip flow-export source <one of the router active interfaces>
Page 3 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
The NetFlow cache entries should be exported to the specified IP address. Use the IP
address of the NetFlow Analyzer server running on PC2 and the configured with default
listener port:
ip flow-export destination 192.168.10.11 9996
Send the flow information on connections that have gone inactive every 15 seconds:
ip flow-cache timeout inactive 15
Enable NetFlow for each active router interface with following command:
ip flow ingress
Display a summary of the NetFlow statistics and make sure that NetFlow is functioning
properly:
show ip cache flow
ManageEngine NetFlow Analyzer is a traffic analytics tool that leverages flow technologies to
provide real time visibility into the network bandwidth performance. It collects, analyzes and
reports about how the network bandwidth is being used for and by whom. [ManageEngine]
Accept the default settings: NetFlow Analyzer will use 8080 as the default web server
port and 9996 as the default port to listen for NetFlow packets.
The default SNMP community string is public, the default SNMP port is 161.
Do not register for Technical support (leave all fields blank) and click on Skip.
If you see the message: Some of the interfaces have been listed as IfIndex. Enter the
router's SNMP Parameters to retrieve the interfaces names, click on the SNMP
Parameters and click Update.
Go to Dashboards and get familiar with information provided by NetFlow Analyzer. The
main dashboard provides summarized data for the whole network. You can separate data
for each device and each interface by clicking on the device name or interface name.
Cisco IOS IP SLAs sends data across the network to measure performance between multiple
network locations or across multiple network paths. It simulates network data, IP services and
collects network performance information in real time. Measurements provided by the various
Cisco IOS IP SLAs operations can be used for troubleshooting, for problem analysis, and for
designing network topologies. [Cisco] We will use SLA to generate different types of traffic.
Page 5 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
Configure R3 as a responder:
R3(config)#ip sla responder
Start FileZilla Server and Open Filezilla Server Interface (find the icons on the Desktop), click
OK to connect to the server.
Create a new user. Go to Edit -> Users
Add a user admin.
Tick the field Password and set the password to adminpass
Dont close Users window, go to Shared folders.
Add your FTP folder as a shared folder.
Click OK to apply settings.
Page 6 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
Open in the browser ftp://10.10.10.10 and enter the username and password given above
to verify that FTP server is working and you can access the file you previously created in
the shared folder.
11. Generate FTP traffic from R1 to PC3. R1 will request the text file every 30 seconds:
R1(config)#ip sla 3
R1(config-ip-sla)#ftp get
ftp://admin:adminpass@10.10.10.10/<your_file_name>
R1(config-ip-sla-ftp)#frequency 30
R1(config-ip-sla-ftp)#exit
13. NetFlow Analyzer supports IP SLA monitoring VoIP, WAN and Video traffic.
We will create VoIP monitor that tests the connection between R1 and R3.
Open Netflow Analyzer web interface and go to the IPSLA tab.
Go to Settings and start creating a new monitor.
Enter a name for a monitor and choose R1 as a source router and set a source port to
16384. Enter the R3 IP address as a destination IP and click Add.
Click Submit then Apply to Device.
You should see the notification that configuration was successfully submitted to the
device.
Do not proceed if you get error messages. If the configuration cannot be submitted to the
router, check that you provided the read/write access to the router with community string
public.
Open console connection to R1 and make sure that ip sla was added to the router
configuration.
Go to All monitors and open the details by clicking on the name of the monitor.
Page 7 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
Find the packet loss, latency, jitter and RTT values for generated traffic.
14. Go to Devices and click on R1 to display the R1 statistics. All traffic generated by IP
SLA has to be present in the Application table.
Generated VoIP traffic is displayed as unknown traffic.
In the Application table, find unknown traffic and click Show Ports, then Add
Mapping. There you should see port 16384. Add the application name (for example,
IPT) and save the mapping. From that moment, all the new traffic from port 16384 will
be displayed as IPT. Look at the Application table and make sure that you can see IPT
there.
15. NetFlow Analyzer provides statistics for the whole network, for each device and for
each interface.
Go back to Devices tab, click on interface Serial0/0/0 of R1. You will see the graph
and numbers for the interface speed. Switching between the tabs, you can find
information about traffic volume, link utilization and number of packets sent and
received.
Go to the Application tab (in the upper row) and find out which applications generate the
highest amount of traffic.
16. NetFlow Analyzer allows you to configure alerts and set threshold values. It can be
configured to send SNMP traps or emails when a certain condition is triggered.
Run the program either from the short cut on the desktop or from the Start > All
Programs > Trap Receiver and find out which port the Trap Receiver listens for traps
(Trap Source).
In Trap Receiver window click Configure. Go to Mibs > Load MIB. Browse to
C:\ManageEngine\NetFlow\lib\ADVENTNET-NETFLOWANALYZER-MIB.
If you dont see this file, remove the filter which shows only *.mib and *.my files.
Click OK and tick the Translate OIDs option.
This configuration provides human-readable names for OIDs sent by NetFlow Analyzer
in SNMP traps.
Page 9 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
Wait for a couple of minutes and make sure that Trap Receiver has received a trap. The
trap details can be acquired by clicking on it. Also you should see the increasing alert
counters for ICMP packets alert profile in NetFlow Analyzer.
This should cause both ICMP packets and ICMP volume to be generated.
This is only a simple example of how NetFlow Analyzer alerts work. Alerts can be
configured for different types of traffic with various criteria and thresholds.
References
Cisco Systems,
http://tools.cisco.com/search/results/en/us/get#q=netflow
Page 10 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
Device Configurations
R1
hostname R1
!
no ip domain-lookup
!
interface f0/0
ip address 192.168.10.254 255.255.255.0
no sh
!
interface Serial0/0/0
ip address 172.16.10.1 255.255.255.252
clock rate 64000
no sh
!
router ospf 1
network 172.16.10.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
!
line con 0
logging synchronous
!
end
Page 11 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
R2
hostname R2
!
no ip domain lookup
!
interface Serial0/0/0
ip address 172.16.10.2 255.255.255.252
no sh
!
interface Serial0/0/1
ip address 172.16.10.5 255.255.255.252
clock rate 64000
no sh
!
router ospf 1
network 172.16.10.0 0.0.0.3 area 0
network 172.16.10.4 0.0.0.3 area 0
!
line con 0
logging synchronous
!
end
Page 12 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
R3
!
hostname R3
!
no ip domain lookup
!
interface f0/0
ip address 10.10.10.254 255.255.255.0
no sh
!
interface Serial0/0/1
ip address 172.16.10.6 255.255.255.252
no sh
!
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
network 172.16.10.4 0.0.0.3 area 0
!
line con 0
logging synchronous
!
end
Page 13 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
SW1
hostname SW1
!
no ip domain-lookup
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
Page 14 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
!
Page 15 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 192.168.10.253 255.255.255.0
no sh
!
ip default-gateway 192.168.10.254
!
!
line con 0
logging synchronous
!
end
SW2
hostname SW2
!
no ip domain-lookup
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
Page 16 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
Page 17 of 18
HELSINKI METROPOLIA UNIVERSITY OF APPLIED SCIENCES
!
interface FastEthernet0/18
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 10.10.10.253 255.255.255.0
no sh
!
ip default-gateway 10.10.10.254
!
line con 0
logging synchronous
!
end
Page 18 of 18