Things needed:
flow-tools
flowscan
CUFlow
cacti (I'm using 0.8.6h)
I'm using debian, so I was able to apt-get everything. Please note, though, that you need the testing version of flowscan to be able to use flow-tools.
So here's how it works:
Code: Select all
Netflow from router -> flow-capture -> flowscan -> rrds -> cacti
CUFlow -^
On Cisco -
Code: Select all
ip cef
! Do THIS ON EACH INTERFACE
interface e0/0
ip route-cache flow
no ip mroute-cache
!
ip flow-export version 5 peer-as bgp-nexthop
ip flow-export destination 1.2.3.4 9999
! where 1.2.3.4 is your flow colector's IP and 9999 is the port you'll choose
flow-capture:
apt-get install flow-capture #I love good package management
vi /etc/flow-tools/flow-capture.conf
Add the following:
-z0 -V5 -n 288 -N0 -w /home/flows -E2G 0/0/9801
Feel free to man flow-capture for details. You should change these details to suite your needs. Of main interest is the last number, "9801", this is the port that needs to correspond with your previous entry into your cisco router. -z0 -V5 -N0 is important to have to work correctly with flowscan. -n 288 means to make a file capture every 5 minutes. -w is your save directory.
flowscan:
Pick your favorite method and install flowscan (note: needs to support flow-tools, not just cflowd, which ARE different)
apt-get install -t testing flowscan #good_package_management++
edit /etc/flowscan/flowscan.cf (or wherever your flowscan.cf is)
Change the defaults to:
Code: Select all
FlowFileGlob /home/flows/ft-v05.*
ReportClasses CUFlow
WaitSeconds 30 # change to 300 if you use a SLOW machine or you're processor paranoid
Verbose 1 # you can change this later when it works for sure
Code: Select all
#!/bin/sh
#Description: Start/stop Flowscan
case "$1" in
'start')
/usr/bin/flowscan >> /var/log/flowscan 2>&1 </dev/null & >/dev/null
;;
'stop')
killall -9 flowscan
;;
*)
echo "Usage: $0 {start | stop }"
;;
esac
exit 0
Optional:
Next, I wanted to keep 95th percentile marks ACCURATE for up to 2 months, so I had to change flowscan's way of making default rrds.
You don't have to do this if you don't care about accurate 95th percentile marks.
Edit your FlowScan.pm
Find the following and change the values to:
RRA:AVERAGE:.5:1:17280
RRA:AVERAGE:.5:6:1536
RRA:AVERAGE:.5:24:2268
RRA:AVERAGE:.5:288:1890
RRA:MAX:.5:24:2268
RRA:MAX:.5:288:1890
This SHOULD keep up to 60 days worth of non-compressed data before it starts to compress it down. Feel free to tell me if I'm wrong about this.
CUFlow:
Install cuflow perl module:
apt-get install -t testing flowscan-cuflow
edit /etc/flowscan/CUFlow.cf
Actually, go man CUFlow on google, as you'll need to customize this, however, I'll give an example:
Code: Select all
Subnet 1.2.3.0/24 #my internal networks
Network 1.2.3.128/25 customera # Customer A
Network 1.2.3.0/25 customerb #Customer B
OutputDir /home/flows/rrds
Now, if all goes well, you should be making rrds in /home/flows/rrds
Also, if you want to save your raw flow files, create a directory called "saved" in your /home/flows directory, as flowscan deletes the processed flows if it doesn't find a ./saved directory.
rrds -> cacti:
Feel free to search for your favorite process to do this. There are lots of tutorials on HOW to do this already. I will, however, link my personal favorite.
http://forums.cacti.net/viewtopic.php?t=12202
Also, I just use duplicated the Traffic - (bits/sec, w/ 95th percentile) graph template for the netflows and it looks great!