ipacc: IP accounting package

Cisco routers with NetFlow can be instructed to dump flow cache data to a nominated host and port. Flow caching must be turned on on all interfaces involved in the data to be collected; to do this place the statement ip route-cache flow in the interface configuration of each affected interface.

The router must then be configured to send a supported NetFlow packet type to the host running ipacc, on a nominated port.

ipacc supports netflow packet types 1, 5, and 7. The packet type is specified at the router using the ip flow-export version version statement.

Note that as NetFlow export uses UDP, care must be taken to ensure that heavy traffic or network instability does not cause a loss of communications between the NetFlow source and its collector. If at all possible, the NetFlow collector and hosts should be co-located and connected via a dedicated link. This configuration also allows for the NetFlow link to be secured against pollution from external sources.

The NetFlow collector writes data to a ring buffer, which should be sized to allow for the highest expected volume of flows between processing runs.

5.2.1. Setting up NetFlow on a Cisco router

The following assumes a Cisco router running a version of IOS that supports NetFlow switching and export. For this example, we are assuming that ipacc's NetFlow collector is listening on port 1999, on a host with an IP address of 192.168.1.2. NetFlow flow exports are supported by other platforms; see your product documentation for information on setting up NetFlow on these.

First, log into the Cisco and enter "enable" mode:

% telnet 192.168.1.2
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.

User Access Verification

Password: password
Router> enable
Password: password
Router# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#

Firstly, all interfaces must be configured to NetFlow switching. For example:

Router(config)# interface FastEthernet0/0
Router(config-if)# ip route-cache flow
Router(config-if)# interface FastEthernet0/1
Router(config-if)# ip route-cache flow
Router(config-if)# exit
Router(config)#

The next step is to enable export of IP flows to the collector. The NetFlow collector supports versions 1, 5, and 7, of which versions 1 and 5 are usually available on the router IOS versions.

Router(config)# ip flow-export destination 192.168.1.2 1999 version 5
Router(config)#

Once this is done, NetFlow packets will start being delivered to the collector host.

This is all that is required to start collecting NetFlow. However, the NetFlow cache can be tuned using the ip flow-cache timeout active and ip flow-cache timeout inactive statements.

It is good practice to protect the NetFlow exports. NetFlow exports use UDP packets, with no encryption nor authentication. For this reason, the NetFlow collector should be protected by access lists to prevent invalid data being inadvertently or deliberately sent to the collector. Ideally, the collector should use an interface separate from those carrying live data, and access lists should prevent packets from live interfaces from entering the collector. For example, if FastEthernet0/0 and FastEthernet0/1 are the customer and Internet interfaces, and FastEthernet0/2 is the collector interface, an access list along the lines of:

Router(config)# access-list 101 deny udp any host 192.168.1.2 eq 1999
Router(config)# access-list 101 permit ip any any
Router(config)# interface FastEthernet0/0
Router(config-if)# ip access-group 101 in
Router(config-if)# interface FastEthernet0/1
Router(config-if)# ip access-group 101 in
Router(config-if)# exit
Router(config)#

This creates an access list that allows any traffic into the customer interfaces except that destined for host 192.168.1.2's UDP port 1999, and applies it to the inward side of the customer and Internet facing interfaces. Thus no internal or external user can send bogus data through the router and into the NetFlow collector listening on that port.

Finally, the configuration mode should be exited, and the configuration saved:

Router(config)# exit
Router# write memory
Building configuration...
[OK]
Router# quit
Connection closed by foreign host.
%

5.2.2. Configuring NetFlow collection

NetFlow collection is configured within ipacc using the collect netflow port statement inside a source block. The port number is the local port to listen to.

The netflow filter address statement allows NetFlow packets to be filtered by source address. If any netflow filter statements are included in the source configuration, the source address of an incoming NetFlow packet must match one of the IP addresses given for the packet to be processed. The default is to allow packets from any source.

Note that this does not prevent packets from being spoofed, i.e. sent from an attacker's host with a source address set to the filtered address. See the previous section for information about filtering packets coming into the router.

The netflow forward address [port] statement forwards any NetFlow packets received to an additional host, e.g. for logging, performance monitoring or intrusion detection. If port is not specified, the same port number as for the collector is used.

For example, collecting on port 1999, allowing access only from host 192.168.1.1, and forwarding to 192.168.1.3 port 2222:

source nf-router
	collect netflow 1999
	netflow filter 192.168.1.1
	netflow forward 192.168.1.3 2222
end source

<< Previous

Contents Index

Next >>

5.2. Cisco NetFlow

5.2.1. Setting up NetFlow on a Cisco router

5.2.2. Configuring NetFlow collection