Follow

How to Configure Local Router Monitoring with Silverline

Description

Router Monitoring is an additional feature where Silverline receives flow data directly from your router. If you are interested in turning on this feature, please contact your Silverline Sales representative.

Netflow sends sampled data about the "flow" of traffic passing through the customer network to Silverline Collectors. That data is analyzed in realtime, looking for known patterns indicating potential attacks, characterized by multiple signature types. The F5 Silverline SOC team uses this information to proactively mitigate attacks, protecting customer networks.

See also: Router Monitoring: Network Traffic

 

Environment

  • DDoS
  • Silverline Portal
  • Local Router
  • Netflow v5 or v9

 

Procedure

Step 1: Allowlist the following on your local router:

  1. Silverline's collector IP(s): 
    1. DCA: 107.162.8.254, 
    2. SJC: 107.162.9.254, 
    3. FRA: 107.162.10.254, 
    4. SIN: 107.162.11.254, 
    5. LON: 107.162.15.254
  2. TCP/UDP port 161

Step 2: Open a ticket with the SOC with the following information:

  1. Confirmation that you Allowlisted the above list.
  2. IMPORTANT: Must identify which interfaces to listen on (usually the WAN interface)
  3. Exporter IP - this is the IP address of the router that will be monitored (to be used for SNMP & Netflow export)
  4. Silverline Scrubbing Center where you would like to send the Netflow data
    • Example traceroute:
      • $ traceroute -m 20 -n 107.162.9.254 (collector in San Jose, SJC1)

        traceroute to 107.162.9.254 (107.162.9.254), 20 hops max, 52 byte packets

        <snip>

        3 10.160.44.30 3.449 ms 2.123 ms 1.975 ms

        4 10.160.82.5 4.679 ms 4.527 ms 4.427 ms

        5 10.160.0.137 2.231 ms 1.537 ms 1.486 ms

        6 38.104.126.249 1.787 ms 1.587 ms 2.317 ms

        7 213.248.82.152 2.056 ms 1.547 ms 1.617 ms

        8 62.115.118.169 24.422 ms 23.628 ms 23.870 ms

        9 62.115.35.130 22.669 ms 23.320 ms 22.785 ms
  5. Confirm if you are using Netflow version v5 or v9 - Our collectors don't support other versions
  6. Confirm the SNMP version they will be using (v2c or v3)
    • If using v3, the following information is required:
      • SNMP Security Level
      • SNMP Authentication Protocol
      • SNMP Authentication Username
      • SNMP Authentication Password
        • It is not recommended to passphrases containing special characters. Example:  ! ` *.
      • Our Flow collectors cannot use Advance Encryption Standard AES-256bit encryption but support AES-128bit.
  7. SNMP community string (this can be generated by customer or SOC)
    • Must grant Read-Only access for the SNMP community string
  8. Confirm that the Sampling rate is set to 1:1000 (This is mandatory)
  9. Flow time out period
  10. Destination port (Netflow collector): Port 2055

 

Other Options

Restricting SNMP Access

  • The following MIBs are necessary if the customer wishes to refine the stats sent from their information-base: (Cisco)
    •  IF-MIB : 1.3.6.1.2.1.2.
    • HOST-MIB : .1.3.6.1.2.1.25.
    • SYSTEM-MIB : 1.3.6.1.2.1.1.1

F5 Big-IP

  • sFlow supported - untested
  • IPFix supported BigIP >11.6 - untested

NTOP Netflow Export

  • untested at this time

 

Example: Device Specific Configuration

Cisco IOS Devices

flow record flow-to-silverline

match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last


flow exporter export-to-silverline
description silverline netflow v5
destination $NETFLOW_COLLECTOR
source $SOURCE_INTERFACE
transport udp 2055
export-protocol netflow-v5
template data timeout 60
option interface-table
option exporter-stats
option sampler-table

!

flow monitor monitor-to-silverline
exporter export-to-silverline
cache timeout active 60
statistics packet protocol
record flow-to-silverline
!

sampler sampler-to-silverline
mode random 1 out-of 1000

interface $CUSTOMER_INTERFACE
ip flow monitor monitor-to-silverline sampler sampler-to-silverline input

access-list 55 permit 107.162.8.0 0.0.3.255

snmp-server community $COMMUNITY ro 55 


Cisco IOS XR Devices

  • Pending hardware availability for testing

Cisco IOS XE Devices

  •  See IOS devices

Cisco 6500/7600 (MLS Based)

mls netflow
mls aging long 64
mls aging normal 32
mls flow ip interface-full
mls nde sender version 7
mls nde interface
mls sampling packet-based 1024
ip flow-export source $SOURCE_INTERFACE
ip flow-export version 5
ip flow-export destination $FLOW_COLLETOR 2055
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist

interface $CUSTOMER_INTERFACE
<snip>
ip flow ingress
ip flow egress
mls netflow sampling

access-list 55 permit 107.162.8.0 0.0.3.255

snmp-server community $COMMUNITY ro 55 


Cisco Switches using Netflow-Lite

Certain Cisco switches (2960-X, etc) can support a "lite" version of Netflow.

flow record flow-to-silverline
 match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect interface output
collect flow sampler
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow exporter export-to-silverline
description silverline netflow
destination 107.162.11.254
source $SOURCE_VLAN
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option sampler-table
!

flow monitor monitor-to-silverline
exporter export-to-silverline
cache timeout active 60
statistics packet protocol
record flow-to-silverline
!

sampler sampler-to-silverline
mode random 1 out-of 1000

vlan $SOURCE_VLAN
 name VLAN

interface $CUSTOMER_INTERFACE
switchport access vlan $SOURCE_VLAN
ip flow monitor monitor-to-silverline sampler sampler-to-silverline input

access-list 55 permit 107.162.8.0 0.0.3.255

snmp-server community $COMMUNITY ro 55 


Juniper Routers

set services flow-monitoring version9 template arborsp ipv4-template
set services flow-monitoring version9 template arborsp6 ipv6-template

set forwarding-options sampling sample-once
set forwarding-options sampling input rate 1000
set forwarding-options sampling input run-length 0
set forwarding-options sampling family inet output flow-server $ port 2055
set forwarding-options sampling family inet output flow-server $SILVERLINE_COLLECTOR autonomous-system-type origin
set forwarding-options sampling family inet output flow-server $SILVERLINE_COLLECTORno-local-dump
set forwarding-options sampling family inet output flow-server $SILVERLINE_COLLECTOR source-address $SOURCE_IP
set forwarding-options sampling family inet6 output flow-server $SILVERLINE_COLLECTOR port 2055
set forwarding-options sampling family inet6 output flow-server $SILVERLINE_COLLECTOR autonomous-system-type origin
set forwarding-options sampling family inet6 output flow-server $SILVERLINE_COLLECTOR no-local-dump
set forwarding-options sampling family inet6 output flow-server $SILVERLINE_COLLECTOR source-address $SOURCE_IP
set forwarding-options sampling family inet6 output flow-server $SILVERLINE_COLLECTOR version9 template arborsp6
set forwarding-options sampling family inet6 output interface $SOURCE_INTERFACE source-address $SOURCE_IP

set interfaces $CUSTOMER_INTERFACE unit $UNIT family inet sampling input

 

Related Content

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request